Edit tour

Windows Analysis Report
ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Overview

General Information

Sample name:	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe renamed because original name is a hash value
Original sample name:	ZOOM_b0138065277.exe
Analysis ID:	1579960
MD5:	5d04da31238ff20998723b09affd65d3
SHA1:	c00ada0d38135108c2028882ec9b340b905d667d
SHA256:	f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Entry point lies outside standard sections

One or more processes crash

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe" MD5: 5D04DA31238FF20998723B09AFFD65D3)

WerFault.exe (PID: 1632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

HTTP traffic detected: POST /downloader/soft/reportNew HTTP/1.1Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-stat.ludashi.comContent-Length: 300Cache-Control: no-cacheData Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 54 4f 68 6e 56 45 70 69 75 72 68 6f 58 65 32 71 62 79 42 4a 70 64 4a 31 49 6b 79 61 47 74 30 58 32 4a 6d 71 4f 46 35 59 79 41 35 58 58 58 4f 61 54 36 57 32 48 55 34 49 74 6d 77 58 49 75 44 6b 37 50 39 61 4b 4b 56 34 65 76 77 44 6c 51 64 55 78 47 46 51 33 59 53 46 6d 38 39 61 47 71 74 48 43 63 6f 74 53 66 4f 52 51 33 4d 63 35 56 4e 77 50 6c 54 75 4f 77 66 51 46 62 64 51 6d 54 69 43 6b 54 64 65 53 44 4c 36 74 52 36 57 33 68 77 70 68 38 67 55 56 31 64 44 33 52 65 54 33 62 62 4f 4e 6c 59 66 2b 6d 4c 38 68 67 63 79 59 34 66 59 6e 4e 59 70 32 55 68 4c 6f 48 52 4a 62 4d 52 4b 6f 5a 70 57 7a 38 64 65 30 41 69 41 73 5a 52 34 53 44 42 76 45 32 6e 48 4e 42 78 56 4e 73 4f 42 48 50 30 6e 61 72 51 55 4d 4f 42 6c 42 49 2b 74 63 30 7a 37 56 2f 37 59 39 67 69 4c 62 31 42 42 4f 31 66 62 4d 43 47 59 4f 75 68 34 4e 51 41 66 58 65 64 2b 4a 49 3d Data Ascii: 8j49N7eVpah7kxLaG9+KcTOhnVEpiurhoXe2qbyBJpdJ1IkyaGt0X2JmqOF5YyA5XXXOaT6W2HU4ItmwXIuDk7P9aKKV4evwDlQdUxGFQ3YSFm89aGqtHCcotSfORQ3Mc5VNwPlTuOwfQFbdQmTiCkTdeSDL6tR6W3hwph8gUV1dD3ReT3bbONlYf+mL8hgcyY4fYnNYp2UhLoHRJbMRKoZpWz8de0AiAsZR4SDBvE2nHNBxVNsOBHP0narQUMOBlBI+tc0z7V/7Y9giLb1BBO1fbMCGYOuh4NQAfXed+JI=

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%s
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%shttp://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&ur
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d/jsond/ping
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&url=%s&option=%s
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.111
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.d
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll8
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128878207.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495223849.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.00000000010A7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128603827.00000000010B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dllC
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://l.public.ludashi.com/pc/udldslite/dogSunhttp://l.public.ludashi.com/pc/ud/dogsundataerror
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.0000000001099000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.00000000010A7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modve
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2129492013.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.000000000101D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.000000000101D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3122
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3API.dllm(7
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.000000000101D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3cw5rG
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNew
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNew0;
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewR
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewdownloader
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewk
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ludashi.com/lisence.htmlerror
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ludashi.com/stat/pc.php?pid=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495182815.0000000002E4D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_a
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495182815.0000000002E4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dllt
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128668989.0000000002E07000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128229402.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2129047379.0000000002E07000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DF9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2138280110.0000000002E08000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128382442.0000000002E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comB
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://paint-s.ludashi.com/allcommon?ptype=thundercdn&s=CProgressPage::RecheckDownloadTaskhttp_info
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Memory allocated: 77030000 page execute and read and write

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1564

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.evad.winEXE@2/11@3/3

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File created: C:\Program Files (x86)\Ludashi

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get3[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6200
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Mutant created: \Sessions\1\BaseNamedObjects\CUSERSuserAPPDATAROAMINGDOWNLOADERDOWNLOADERLOG
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Mutant created: \Sessions\1\BaseNamedObjects\ThunderMissionDownloadingMutex

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File created: C:\Users\user\AppData\Local\Temp\{2572B3E2-D6D2-48e1-8785-B5D1B6CA6FBD}.tf

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe "C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe"
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1564

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: netbios.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: certificate valid

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: More than 139 > 100 exports found

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static file information: File size 5702624 > 1048576

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: Raw size of .inx1 is bigger than: 0x100000 < 0x566800

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: _b015226917.pdb source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Source: initial sample

Static PE information: section where entry point is pointing to: .inx1

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Static PE information: section name: .inx0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Static PE information: section name: .inx1

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 10F0005 value: E9 2B BA DC 75	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 76EBBA30 value: E9 DA 45 23 8A	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 2CC0008 value: E9 8B 8E 24 74	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 76F08E90 value: E9 80 71 DB 8B	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 2CD0005 value: E9 8B 4D DA 72	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 75A74D90 value: E9 7A B2 25 8D	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 2D10005 value: E9 EB EB D7 72	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 75A8EBF0 value: E9 1A 14 28 8D	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 2D20005 value: E9 8B 8A 13 73	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 75E58A90 value: E9 7A 75 EC 8C	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 2D30005 value: E9 2B 02 15 73	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 6200 base: 75E80230 value: E9 DA FD EA 8C	Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496101101.000000000075A000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLQ'I
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496101101.000000000075A000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: D81AB8 second address: F2BEE2 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 bts eax, edx 0x00000009 inc dx 0x0000000c xor bl, cl 0x0000000e sal dl, cl 0x00000010 mov edx, dword ptr [esp+ecx] 0x00000013 add ax, sp 0x00000016 cmp di, dx 0x00000019 neg ax 0x0000001c lea edi, dword ptr [edi-00000004h] 0x00000022 movzx eax, si 0x00000025 bswap eax 0x00000027 mov dword ptr [edi], edx 0x00000029 rcl al, FFFFFF82h 0x0000002c mov eax, dword ptr [esi] 0x0000002e clc 0x0000002f jmp 00007FAF94CDF62Bh 0x00000034 add esi, 00000004h 0x0000003a clc 0x0000003b xor eax, ebx 0x0000003d xor eax, 05836C2Eh 0x00000042 clc 0x00000043 rol eax, 1 0x00000045 clc 0x00000046 add eax, 47AA4C98h 0x0000004b test esi, 25C5195Eh 0x00000051 jmp 00007FAF95029532h 0x00000056 bswap eax 0x00000058 cmp ch, 0000003Fh 0x0000005b xor ebx, eax 0x0000005d add ebp, eax 0x0000005f jmp 00007FAF94AF76E6h 0x00000064 lea eax, dword ptr [esp+60h] 0x00000068 cmp bp, di 0x0000006b test edi, 7F572217h 0x00000071 cmp edi, eax 0x00000073 ja 00007FAF94E5597Dh 0x00000079 push ebp 0x0000007a ret 0x0000007b movzx ecx, byte ptr [esi] 0x0000007e lea esi, dword ptr [esi+00000001h] 0x00000084 sal dh, 00000008h 0x00000087 xor cl, bl 0x00000089 bsr edx, ecx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: D0F75F second address: D0F779 instructions: 0x00000000 rdtsc 0x00000002 setno dh 0x00000005 dec ebp 0x00000006 btr dx, si 0x0000000a xadd edi, eax 0x0000000d not ebp 0x0000000f bsf si, si 0x00000013 bswap ebx 0x00000015 clc 0x00000016 lea ebp, dword ptr [ebp+ecx+00h] 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: 9064F1 second address: 9CAE9B instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 bts eax, edx 0x00000009 inc dx 0x0000000c xor bl, cl 0x0000000e sal dl, cl 0x00000010 mov edx, dword ptr [esp+ecx] 0x00000013 add ax, sp 0x00000016 cmp di, dx 0x00000019 neg ax 0x0000001c lea edi, dword ptr [edi-00000004h] 0x00000022 movzx eax, si 0x00000025 bswap eax 0x00000027 mov dword ptr [edi], edx 0x00000029 rcl al, FFFFFF82h 0x0000002c mov eax, dword ptr [esi] 0x0000002e clc 0x0000002f jmp 00007FAF94BFD0BCh 0x00000034 add esi, 00000004h 0x0000003a clc 0x0000003b xor eax, ebx 0x0000003d xor eax, 05836C2Eh 0x00000042 clc 0x00000043 rol eax, 1 0x00000045 clc 0x00000046 add eax, 47AA4C98h 0x0000004b test esi, 25C5195Eh 0x00000051 jmp 00007FAF94F883D8h 0x00000056 bswap eax 0x00000058 cmp ch, 0000003Fh 0x0000005b xor ebx, eax 0x0000005d add ebp, eax 0x0000005f jmp 00007FAF94D064DEh 0x00000064 lea eax, dword ptr [esp+60h] 0x00000068 cmp bp, di 0x0000006b test edi, 7F572217h 0x00000071 cmp edi, eax 0x00000073 ja 00007FAF94D5E548h 0x00000079 push ebp 0x0000007a ret 0x0000007b movzx ecx, byte ptr [esi] 0x0000007e lea esi, dword ptr [esi+00000001h] 0x00000084 sal dh, 00000008h 0x00000087 xor cl, bl 0x00000089 bsr edx, ecx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: A0A22A second address: A0A244 instructions: 0x00000000 rdtsc 0x00000002 setno dh 0x00000005 dec ebp 0x00000006 btr dx, si 0x0000000a xadd edi, eax 0x0000000d not ebp 0x0000000f bsf si, si 0x00000013 bswap ebx 0x00000015 clc 0x00000016 lea ebp, dword ptr [ebp+ecx+00h] 0x0000001a rdtsc

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Queries volume information: C:\Users\user\AppData\Roaming\titan\titan.log VolumeInformation

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Masquerading	1 Credential API Hooking	231 Security Software Discovery	Remote Services	1 Credential API Hooking	3 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	13 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	122 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	48%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%shttp://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&ur	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3122	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3API.dllm(7	0%	Avira URL Cloud	safe
http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dll	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewk	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll8	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewdownloader	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNew0;	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNew	0%	Avira URL Cloud	safe
http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	0%	Avira URL Cloud	safe
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%s	0%	Avira URL Cloud	safe
https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/jsond/ping	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.111	0%	Avira URL Cloud	safe
http://l.public.ludashi.com/pc/udldslite/dogSunhttp://l.public.ludashi.com/pc/ud/dogsundataerror	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewR	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&url=%s&option=%s	0%	Avira URL Cloud	safe
http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dllC	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dllt	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_a	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.d	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3cw5rG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
softmgr-cfg.ludashi.com	49.4.55.6	true	false	unknown
softmgr-stat.ludashi.com	114.115.204.103	true	false	unknown
s.ludashi.com	47.117.77.180	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176	false		high
http://softmgr-cfg.ludashi.com/inst/get3	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176	false		high
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNew	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[time]=0&ex_ary[errcode]=17_0_0_0&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNewk	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll8	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.0000000001099000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E12000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DD0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495182815.0000000002E4D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%shttp://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&ur	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://softmgr-cfg.ludashi.com/inst/get3API.dllm(7	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2134367065.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false		high
https://paint-s.ludashi.com/allcommon?ptype=thundercdn&s=CProgressPage::RecheckDownloadTaskhttp_info	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.ludashi.com/stat/pc.php?pid=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://softmgr-cfg.ludashi.com/inst/get3122	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.000000000101D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://softmgr-stat.ludashi.com/downloader/soft/reportNewdownloader	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNew0;	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128878207.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495223849.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495425390.00000000010A7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128514702.000000000105F000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128603827.00000000010B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://curl.haxx.se/docs/http-cookies.html	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modve	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.00000000010A7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2494893876.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ludashi.com/lisence.htmlerror	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://l.public.ludashi.com/pc/udldslite/dogSunhttp://l.public.ludashi.com/pc/ud/dogsundataerror	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-ocsp.symauth.com0	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNewR	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.111	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%s	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d/jsond/ping	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&url=%s&option=%s	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2495893985.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dllC	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2129492013.0000000002DF8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2128936916.000000000105C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002DE9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dllt	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E4A000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2495182815.0000000002E4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.d	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false	Avira URL Cloud: safe	unknown
http://softmgr-cfg.ludashi.com/inst/get3cw5rG	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.000000000101D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_a	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2497259410.0000000002E2A000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.2496789859.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
47.117.77.180	s.ludashi.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
114.115.204.103	softmgr-stat.ludashi.com	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
49.4.55.6	softmgr-cfg.ludashi.com	China	55990	HWCSNETHuaweiCloudServicedatacenterCN	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579960
Start date and time:	2024-12-23 17:10:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe renamed because original name is a hash value
Original Sample Name:	ZOOM_b0138065277.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@2/11@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.177.146, 23.218.208.109, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, PID 6200 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Simulations

Behavior and APIs

Time	Type	Description
11:11:15	API Interceptor	1x Sleep call for process: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe modified
11:11:51	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
47.117.77.180	LisectAVT_2403002B_152.exe	Get hash	malicious	Unknown	Browse
47.117.77.180	SecuriteInfo.com.FileRepPup.9888.7317.exe	Get hash	malicious	Unknown	Browse
114.115.204.103	SecuriteInfo.com.FileRepPup.9888.7317.exe	Get hash	malicious	Unknown	Browse	softmgr-stat.ludashi.com/downloader/soft/reportNew
49.4.55.6	SecuriteInfo.com.FileRepPup.9888.7317.exe	Get hash	malicious	Unknown	Browse	softmgr-cfg.ludashi.com/inst/get3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s.ludashi.com	LisectAVT_2403002B_152.exe	Get hash	malicious	Unknown	Browse	106.15.136.209
	SecuriteInfo.com.FileRepPup.9888.7317.exe	Get hash	malicious	Unknown	Browse	47.117.77.180
	SecuriteInfo.com.FileRepPup.14593.15387.exe	Get hash	malicious	Unknown	Browse	47.117.76.6
	SecuriteInfo.com.FileRepMalware.20313.1405.exe	Get hash	malicious	Unknown	Browse	106.15.48.27
	http://api.pdfxd.com/pdf-service/v1/action?os=163842&device_id=741e5fc1b4d58e5b4c3ac5f1dc5a9464&version=&qd=&day=&t=4312453&product=xundu&machine_name=141700	Get hash	malicious	Unknown	Browse	47.117.76.201
	XMind #U00e6#U00e7#U00bb#U00b4#U00e5#U00af#U00bc#U00e5#U00be@8001_663@2.8.exe	Get hash	malicious	Unknown	Browse	47.117.76.6
	UM6rAJhKEq.exe	Get hash	malicious	Unknown	Browse	47.117.76.6
	mAGs0IsoB7.exe	Get hash	malicious	Unknown	Browse	47.117.76.6
softmgr-stat.ludashi.com	https://down-package.ludashicdn.com/downloader/temp_package/2024-07/%E8%85%BE%E8%AE%AF%E4%BC%9A.%E8%AE%AE_4496905339.exe	Get hash	malicious	Unknown	Browse	114.115.204.103
softmgr-stat.ludashi.com	SecuriteInfo.com.FileRepPup.9888.7317.exe	Get hash	malicious	Unknown	Browse	114.115.204.103
softmgr-cfg.ludashi.com	https://down-package.ludashicdn.com/downloader/temp_package/2024-07/%E8%85%BE%E8%AE%AF%E4%BC%9A.%E8%AE%AE_4496905339.exe	Get hash	malicious	Unknown	Browse	49.4.55.6
softmgr-cfg.ludashi.com	SecuriteInfo.com.FileRepPup.9888.7317.exe	Get hash	malicious	Unknown	Browse	49.4.55.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HWCSNETHuaweiCloudServicedatacenterCN	armv4l.elf	Get hash	malicious	Unknown	Browse	117.78.92.42
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	121.36.176.226
	nshsh4.elf	Get hash	malicious	Mirai	Browse	124.70.244.248
	star.ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	139.9.52.45
	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	139.159.139.109
	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	139.159.139.109
	jew.mips.elf	Get hash	malicious	Unknown	Browse	124.70.20.249
	arm7.elf	Get hash	malicious	Unknown	Browse	121.37.152.93
	IGz.mips.elf	Get hash	malicious	Mirai	Browse	121.37.118.203
	TRC.spc.elf	Get hash	malicious	Mirai	Browse	121.36.194.254
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	armv5l.elf	Get hash	malicious	Unknown	Browse	110.75.160.248
	2.elf	Get hash	malicious	Unknown	Browse	8.188.205.69
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	112.124.206.2
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	140.205.236.15
	2.elf	Get hash	malicious	Unknown	Browse	8.132.125.243
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	47.106.0.180
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	112.75.59.9
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	182.92.199.130
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	120.77.243.36
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	123.62.119.123
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	armv5l.elf	Get hash	malicious	Unknown	Browse	202.96.32.85
	armv4l.elf	Get hash	malicious	Unknown	Browse	113.46.69.201
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	111.200.104.170
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	118.245.0.12
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	111.198.81.253
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	123.124.24.246
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	101.41.234.192
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	103.135.166.192
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	118.144.22.187
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	60.195.238.149

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7158117829237156
Encrypted:	false
SSDEEP:	3:3Dadri2Hl:3DabF
MD5:	56A10C7B7B90586FA8804EC97D7674E4
SHA1:	7D9DF048BC8D91F8DC49FC6C4DECA0D9E9901149
SHA-256:	855A7EA642613844CB50C4E3DAF0769AD4932B096E2876AA97BC18D2462391E6
SHA-512:	11B0DA7ABB30B101330E0C39D1D0DE7541D8E9A866BA4B32BB253406352AAF7F77929AAFCD53B9F46739DA07812D66DB454F46946F19FD52C96422D598630828
Malicious:	false
Reputation:	low
Preview:	{.3.3.E.E.B.2.C.4.-.6.8.6.6.-.4.f.3.b.

C:\Program Files (x86)\Ludashi\{D8B6A3D8-E63E-4c7a-927C-B7032B9C9588}.tf

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.8081742830375824
Encrypted:	false
SSDEEP:	3:ilJnjNCgYM:G9NCgL
MD5:	65BBAF9B57F73E1D967976D497B9EF09
SHA1:	ADEBC32CDCBFA8150869D522056C98448A3DDBD6
SHA-256:	858367081D77B20F340F01C69A2799CE9C3F1D5332E37B54DAB333501C42849B
SHA-512:	BD89F0A6241E43AD918811ABFA1FDCF812F216B6ECC50B33AAC4D6B9D4CE8E8672B4400EA79E840F0FFF6772CFF9102E3788AD2AC51E7D2AC647D7AD0EA3865F
Malicious:	false
Reputation:	low
Preview:	{.D.8.B.6.A.3.D.8.-.E.6.3.E.-.4.c.7.a.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ZOOM#U89c6#U9891_9891604cb1297265bb91bed08d9772ddf5edfcc_ade10476_80d56e64-0104-4a78-8a1a-309c024cd75e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.08986644847776
Encrypted:	false
SSDEEP:	192:GkZ8KZIspOK4R0BU/Goqj+amZr4gidzuiFKZ24IO85y:GLKZIswK4SBU/GoqjTdzuiFKY4IO85y
MD5:	98C09707BDC1A10B51B257234971C57C
SHA1:	2B0DBA2BD2583DBF2A4F1B9DFAEE6FA665DC09E2
SHA-256:	6ED69DB7E46DD800EA21FBEA7FE5430F14179BAE2C341D410B6BF17BF438BE85
SHA-512:	C1DA1BB28E888E85FECB79278895B6E5B4BD08CB8FF95A9900FDF7A00202CD1C84A12BC28707332B03C434C523DC01B0AFCF8664A823CB2BB6D2AC94E2968535
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.4.4.3.8.7.6.5.1.2.1.4.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.4.4.3.8.7.7.1.9.2.0.7.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.d.5.6.e.6.4.-.0.1.0.4.-.4.a.7.8.-.8.a.1.a.-.3.0.9.c.0.2.4.c.d.7.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.c.f.0.4.b.2.-.f.c.3.8.-.4.2.5.6.-.a.9.c.4.-.3.3.7.3.8.c.4.a.5.5.d.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Z.O.O.M.#.U.8.9.c.6.#.U.9.8.9.1.#.U.4.f.1.a.#.U.8.b.a.e._.b.0.1.3.8.0.6.5.2.7.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.8.-.0.0.0.1.-.0.0.1.4.-.6.5.f.6.-.0.c.4.6.5.5.5.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.f.7.1.d.5.9.c.9.8.8.d.f.9.f.7.b.9.d.9.d.5.9.f.4.4.5.8.7.5.f.a.0.0.0.0.0.9.0.4.!.0.0.0.0.c.0.0.a.d.a.0.d.3.8.1.3.5.1.0.8.c.2.0.2.8.8.8.2.e.c.9.b.3.4.0.b.9.0.5.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B5D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Dec 23 16:11:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	165598
Entropy (8bit):	2.1152301012275108
Encrypted:	false
SSDEEP:	768:hHR25LDtDrLX5ETVei3rpmR9MRJuKqNvLUMWM1:hcb7X5Eoi9mR9MRgKqNvnWM1
MD5:	2F42E5BA8EF822707111A7849BCBFABF
SHA1:	2F5328EE5394935FAB1E2ECB4B5C4E66A6E3425D
SHA-256:	95E1F874F1A249AADA846332A712F818CF7D4D00B4D26094FA591D1BB82A427A
SHA-512:	833D9420DC173C432533E8789AD8012815F6BC99E15D59803ECA5433E63518689040D98F4A369828700A812995C1D01D11F74522BA6E5E16A10B6B92EFFE6DCA
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........ig............4...............<...........Ba..........T.......8...........T............>...H...........$...........&..............................................................................eJ......X'......GenuineIntel............T.......8.....ig.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CA6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8468
Entropy (8bit):	3.707182469547568
Encrypted:	false
SSDEEP:	192:R6l7wVeJLxD6b6YEInSU4OngmfUNJsNjprJ89bMdsf4dkm:R6lXJL16b6YEoSU4OngmfUNJ6oMWfC
MD5:	428D96A4E40A881E6C17C591BA29D5FB
SHA1:	5F03B2986A72FC941027A21C69F593B7413C4A05
SHA-256:	3DB8BE55D6F3C39C37B47B991825F723785A5E1D1881E3FE3D21E1A5F36613B0
SHA-512:	9373CD93802F41F197FD7D58B0EE86721328EF5CC9FE20B154D0C3DC13BB6BF0AFF0020C87F8EFDC7DF3134AEAC1A501C2FCF462758AF792A95532B2039C96C3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CE6.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4756
Entropy (8bit):	4.563145261706658
Encrypted:	false
SSDEEP:	48:cvIwWl8zsrJg77aI9ToWpW8VY3Ym8M4JjfFOO+q8tL84kkPkbd:uIjfFI7lB7VPJjoVkkPkbd
MD5:	C366F0220277F72E183F64267B7E2BE7
SHA1:	F73FA34B4BD185A5582FF50937ADE946DA00EFDC
SHA-256:	E99081457C6BBC06D74167B9801CC78E7916DCE4A51642FC73FFBD88E39BE42F
SHA-512:	5757120F91711B061B586A378A55F1D127D471C30DA014CE2C3E30A238758066C9062DB6EE514BD359BF58AFE8CA11B70EA692CB3D5DD27CC4FD663782ABB191
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="644113" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get3[1].htm

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	ASCII text, with very long lines (1612), with no line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	5.972451153692705
Encrypted:	false
SSDEEP:	48:wnRhMRXPghERuW6SbBh+uOfZEwfJ6T5fQtc6IKk/:wwRZ4DfZbfomthbk/
MD5:	3AF8D101B32C0B4E581A6B5306387CA0
SHA1:	8D85F91883EFAA1AF47D4D00C54445CA9BF0F15F
SHA-256:	2E4CEBA665CED52935F239B1AD8736EDDC327176DE5C7C34B4E225B95B5973C8
SHA-512:	53FDF2697E5469E55131E3855CFDB1198D00555DBEAB7F5FBFD7EDD26D13914E8EDCBA4902C46C427F80456E992870EC1E83D19805A33F10F0B767923A73D3D2
Malicious:	false
Reputation:	low
Preview:	TYna9pwhk2RwSlH/eyfuhBqWS92CIIbCOvqt7O4K5R40/JDPx655Ej3lN8rexfDyOQ8bF8C7cpL9IZ2FNQnvQZw1noOMn+VusVyJabNFGtD95aJXI/7OZQHzvB6XmD6fWt5z8O1IZV75+SBe1x/Y/hMscSuQWrqepWHUjdXL0lbMmWpc0L02lmDnsftArEFG3rkO7c9/6R5Be20r7Uoredff28a0k3+uZTNZD10bUXKZeFZGy4ESxrWChrJaBOOQffHck9y0xTszNTo+yCsA9qnQgpRrjeivHv4yKL9cMiWG2gD7m1+KpViRAmqzygRddBtr2B/jtkVFVkq1b1kHebTcOCf5S8GwmMYFhnvcQGAYWt84ud2nOZmuAXJz+rHkjORLRMcb51cs4rHE/AbB131ysscSFV2Ldx+54/Kcbq+kEKrqAsOayj0Kej+JrvKokiWVoC17iyg92diG4AO1LL5mHqbexuLNeRQz9lBJGbR+0BFxQescsyqpl2ZXlsOxZTNZD10bUXKoIa7NcSnWc09lskUkl4T9Pmz4jTCUWzHkbc6WTukrZbUVp1/u3L7U415p+MaPHCcKhhnbAt33fAO45/Bookz3F9PPLlYRNk8ntzAMJZyCmzLPj6jIAkyf9fUXckWjRKgE+QHZgH2gtdMxDaOC3EQrBGLiCEDmYSQNwvZWGlJjJuq0VVk/ZlwiN9aDxIEWP2D112492xhbVqeBVW6uPQkXdGmJYm3KOsUoij0u4fSj73yQpelTXXp3NzpOkB7q9ViVvWEMz2IJznI8ldeavOfRMXY/kf5GjBvHWxyQWc6GH55PUNL61Pg5YXWBtEuEzoXW9F5AjKEQX2L9HqtuRZGxhbkwkrVNcDmJTE7CtIQG/oOj6WxCQlZRi0OarLR+dLRf9398vLAhHsmJ53iJZRJVLiE0A3aZ0GkNvTs3MCaelr3T+8XHSaUviXlvkbj3dwCLQ5qstH50tK7q87GYdr5rMmN/6k8w

C:\Users\user\AppData\Local\Temp\{2572B3E2-D6D2-48e1-8785-B5D1B6CA6FBD}.tf

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.808174283037582
Encrypted:	false
SSDEEP:	3:plQljSlhJlh3IL6Ol:pZfeWOl
MD5:	050EA8E3A7851B010D8A7529E8318620
SHA1:	2D01DB770C460D83F238CD2790111B4F9781C7E6
SHA-256:	543EEA54289A1C30A94BC87386BC13511410ECB518DAF65C50D601685981E795
SHA-512:	980A301B0FE82DB2065A3006FEEAB205F8554467B9445E41604C8196A3A2A65D3BCB3F5B2F8162506C197C98043E477788832E10996C64C6D889FECDC44E15F7
Malicious:	false
Reputation:	low
Preview:	{.2.5.7.2.B.3.E.2.-.D.6.D.2.-.4.8.e.1.

C:\Users\user\AppData\Roaming\titan\titan.lck

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:D:D
MD5:	3250320DCAF3B60F1417B7B37986C4A3
SHA1:	5B88AE9BE6FB4236E3471519ABB479A3670B49CD
SHA-256:	40A7E9ACB06295D6CCC4DE8B5790AA4CEA3456F9BB1DD3E91F192BA5CA98BF97
SHA-512:	793859F6180B0F9A812524D3E031572CBD4D42438EFBEA528F3EB04FF2CEDDC118CD730E0E87DE4D20CE872148963C2A8B3183122DB6952E11662A0BCF708D9E
Malicious:	false
Preview:	titan

C:\Users\user\AppData\Roaming\titan\titan.log

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	161
Entropy (8bit):	5.19828760174453
Encrypted:	false
SSDEEP:	3:2i3rYU8Tt4vgdRfGQUgiLbii3rYU8Tt4oMLnWDUkh4EaKC5qfhWV:2isUKt3G2RisUKtvMrWD9aZ5qfhK
MD5:	9BBAD2ED22A31A8E4904E579BDD43726
SHA1:	ADE098CA1E3CCA4DC71ECA96F89369D177A53ACF
SHA-256:	585ABE1DCF4A3205DDF4368903DEEADDF1EF72B579BA2DFED83122B97A47A528
SHA-512:	652313A44C4172413A5E60F4522A8C26F06021D16488D716FB1C104322A699B5C8F770A79D2B6B24F212E9721F9ADCE90C89F8BC17855E26DD9B27C6090F74D9
Malicious:	false
Preview:	[TitanSDK][16:11:15.957][init] platform(x86), version=1.10.32(13b7797)..[TitanSDK][16:11:15.957][init] workspace=C:\Users\user\AppData\Roaming\titan, params=..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422028510435286
Encrypted:	false
SSDEEP:	6144:nSvfpi6ceLP/9skLmb0OTYWSPHaJG8nAgeMZMMhA2fX4WABlEnNi0uhiTw:SvloTYW+EZMM6DFyQ03w
MD5:	2D951735991C61C35A57C2ED292D1675
SHA1:	3BC30D71D7FD83BEF4775D9EB0B90105F6C3DD97
SHA-256:	F5A51A73AC32B52F83B75B265BE0CCEFC9EE052ECF468FB2EE98EDD9B49FA567
SHA-512:	54139A7424FC6581647DEA46308F47D4065261632D23E9D10DCA5B3801A97BD3ED457F7DE8F171D643737AE50C38BAC0646F873B4BF3382C4603F2E87681DFD3
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..sKUU...............................................................................................................................................................................................................................................................................................................................................rd.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.943805867073643
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File size:	5'702'624 bytes
MD5:	5d04da31238ff20998723b09affd65d3
SHA1:	c00ada0d38135108c2028882ec9b340b905d667d
SHA256:	f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa
SHA512:	ccb33dd91218101b59018d951d909c6827472c4645ac1fed59645c172beb532756fea8b559d3fa74d58f80b8016b6c575d9a54113c5c076b46c692cb6c9d68cb
SSDEEP:	98304:YpTSnAWfADmVwKQWTacPJ/XQuPFfybqxb1Dfb/yy38iH/pw1XSIfUEbnUme0/aoP:mGA1DmbT3d5Z/y+EfUEAaaNk/
TLSH:	5A46233343294249E4D4CD3D9A37BEE971F20B1B8A82BCF419DABDC225769D9D312913
File Content Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$.......?..K{...{...{...r.*.c...)...y...)...v...{...o...............1...:...........x.......}....F~.q.......}...)...f.......t...)...G..

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0xd4515f
Entrypoint Section:	.inx1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66AB597B [Thu Aug 1 09:46:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7528c6fa6e50b11c85c6d043d7885b65

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	21/05/2024 02:00:00 21/05/2027 01:59:59
Subject Chain	CN=\u6210\u90fd\u5947\u9c81\u79d1\u6280\u6709\u9650\u516c\u53f8, O=\u6210\u90fd\u5947\u9c81\u79d1\u6280\u6709\u9650\u516c\u53f8, L=\u6210\u90fd\u5e02, S=\u56db\u5ddd\u7701, C=CN, SERIALNUMBER=91510100394487762T, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=\u6210\u90fd\u9ad8\u65b0\u6280\u672f\u4ea7\u4e1a\u5f00\u53d1\u533a, OID.1.3.6.1.4.1.311.60.2.1.2=\u56db\u5ddd\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Version:	3
Thumbprint MD5:	167BAFFC1D053557B1345BFD490610CB
Thumbprint SHA-1:	EC5BB0C4BE5D6F7CD9D863D6585CF1F3EF58FDA0
Thumbprint SHA-256:	CCFC26C7FC15163972E6E15716C46CFBCBB4D516F2F0DC3FA1A4687B09566AE8
Serial:	0D078E70EAEE48FFEB9576BDD400BE98

Entrypoint Preview

Instruction
jmp 00007FAF94DBAF7Ah
sub eax, dword ptr [edi]
sub eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FAF94D7CEE8h
inc edx
clc
stc
cmc
rol edx, 02h
jmp 00007FAF94E92697h
mov ecx, 520D5AF8h
mov ecx, 240DA85Bh
pop ebx
push ss
mov esp, 7F4980F2h
dec ebx
out CCh, al
out 5Ah, eax
or eax, 869E25C3h
fiadd word ptr [edi+eax+52950D45h]
lodsb
xlatb
or eax, 912372C6h
aaa
pmulhw mm5, qword ptr [ebp+0Dh]
pop eax
je 00007FAF94DBAFC7h
pushfd
or eax, 69364D23h
stosd
fdivp st(5), st(0)
push 0000004Ch
out dx, eax
adc byte ptr [esp+ebp-35h], bh
ucomiss xmm4, dqword ptr [edx]
push esp
mov esp, BF339426h
call far 53F8h : DDCB3FCAh
inc ecx
shr byte ptr [edi-3Fh], cl
dec edx
call far eax
stosd
or eax, 5A58BC72h
sub ebp, dword ptr [edi]
pop eax
xchg eax, edx
mov bl, 5Ch
sahf
arpl word ptr [eax+ebx], cx
ret
push es
pop eax
retf

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8de3f8	0x11e1	.inx1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x909564	0x1f4	.inx1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb73000	0x6cc5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x56da00	0x29e0	.inx0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb713a0	0x54	.inx1
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9a1be8	0x20	.inx1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb70e30	0x40	.inx1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x90c000	0xf0	.inx1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xa0ea24	0x240	.inx1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27fc9d	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x281000	0x966fc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x318000	0x41cc1	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.inx0	0x35a000	0x2b1587	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.inx1	0x60c000	0x566800	0x566800	31af098794bbb3df39acc8a8d2a5d5cb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb73000	0x6cc5	0x6e00	2b11349975ab4f16539a67ce40472b65	False	0.17634943181818183	data	4.515454659195658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb73220	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.21321961620469082
RT_ICON	0xb740c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.3953068592057762
RT_ICON	0xb74970	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.4479768786127168
RT_ICON	0xb74ed8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.09948132780082987
RT_ICON	0xb77480	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.12593808630393996
RT_ICON	0xb78528	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.19680851063829788
RT_GROUP_ICON	0xb78990	0x5a	data	Chinese	China	0.7
RT_VERSION	0xb789ec	0x240	data	Chinese	China	0.5208333333333334
RT_MANIFEST	0xb78c2c	0x1099	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.21440338903271358

Imports

DLL	Import
KERNEL32.dll	GetVersionExW
USER32.dll	SendMessageW
OLEAUT32.dll	VariantInit
dbghelp.dll	MakeSureDirectoryPathExists
VCRUNTIME140.dll	_except_handler4_common
api-ms-win-crt-string-l1-1-0.dll	strcmp
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vswprintf
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit
api-ms-win-crt-heap-l1-1-0.dll	calloc
api-ms-win-crt-locale-l1-1-0.dll	_unlock_locales
api-ms-win-crt-math-l1-1-0.dll	modf
api-ms-win-crt-convert-l1-1-0.dll	strtoul
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s
api-ms-win-crt-filesystem-l1-1-0.dll	_wsplitpath_s
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-conio-l1-1-0.dll	_getch
WINMM.dll	timeGetTime
WLDAP32.dll
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetUserObjectInformationW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Exports

Name	Ordinal	Address
TitanSDK_AddHttpHeaderBypassKey	1	0x4a85c0
TitanSDK_AsyncOpenSession	2	0x4a8cc0
TitanSDK_CloseSession	3	0x4a8da0
TitanSDK_CloseSwarm	4	0x4a8bf0
TitanSDK_GetDownloadUrl	5	0x4a8960
TitanSDK_GetFlow	6	0x4a8ed0
TitanSDK_GetFlowDone	7	0x4a8fb0
TitanSDK_GetVodUrl	8	0x4a87c0
TitanSDK_OnNetworkChanged	9	0x4a87b0
TitanSDK_OpenSwarm	10	0x4a8b10
TitanSDK_PlayQuality	11	0x4a8e70
TitanSDK_PlayStatistics	12	0x4a8ea0
TitanSDK_SetListenPort	13	0x4a84e0
TitanSDK_SetPauseTimeout	14	0x4a84f0
TitanSDK_SetSleepTimeout	15	0x4a8500
TitanSDK_SetStartCallback	16	0x4a8b00
TitanSDK_SetToken	17	0x4a84d0
TitanSDK_SetWorkspace	18	0x4a8560
TitanSDK_Start	19	0x4a8630
TitanSDK_Stop	20	0x4a8710
pthreadCancelableTimedWait	21	0x5518b0
pthreadCancelableWait	22	0x5518c0
pthread_attr_destroy	23	0x5518e0
pthread_attr_getdetachstate	24	0x551920
pthread_attr_getinheritsched	25	0x551950
pthread_attr_getschedparam	26	0x551980
pthread_attr_getschedpolicy	27	0x5519b0
pthread_attr_getscope	28	0x5519e0
pthread_attr_getstackaddr	29	0x551a00
pthread_attr_getstacksize	30	0x551a30
pthread_attr_init	31	0x551a60
pthread_attr_setdetachstate	32	0x551ac0
pthread_attr_setinheritsched	33	0x551b00
pthread_attr_setschedparam	34	0x551b40
pthread_attr_setschedpolicy	35	0x551ba0
pthread_attr_setscope	36	0x551bd0
pthread_attr_setstackaddr	37	0x551c00
pthread_attr_setstacksize	38	0x551c30
pthread_barrier_destroy	39	0x551c60
pthread_barrier_init	40	0x551d00
pthread_barrier_wait	41	0x551d80
pthread_barrierattr_destroy	42	0x551e20
pthread_barrierattr_getpshared	43	0x551e50
pthread_barrierattr_init	44	0x551e80
pthread_barrierattr_setpshared	45	0x551eb0
pthread_cancel	46	0x551ee0
pthread_cond_broadcast	47	0x552020
pthread_cond_destroy	48	0x552040
pthread_cond_init	49	0x5521f0
pthread_cond_signal	50	0x552340
pthread_cond_timedwait	51	0x552360
pthread_cond_wait	52	0x552380
pthread_condattr_destroy	53	0x5523a0
pthread_condattr_getpshared	54	0x5523d0
pthread_condattr_init	55	0x552400
pthread_condattr_setpshared	56	0x552430
pthread_create	57	0x552460
pthread_delay_np	58	0x5525a0
pthread_detach	59	0x5526a0
pthread_equal	60	0x552760
pthread_exit	61	0x552780
pthread_getconcurrency	62	0x5527c0
pthread_getschedparam	63	0x5527d0
pthread_getspecific	64	0x552820
pthread_getunique_np	65	0x552850
pthread_getw32threadhandle_np	66	0x552860
pthread_getw32threadid_np	67	0x552870
pthread_join	68	0x552880
pthread_key_create	69	0x552950
pthread_key_delete	70	0x5529c0
pthread_kill	71	0x552a60
pthread_mutex_consistent	72	0x552ac0
pthread_mutex_destroy	73	0x552b00
pthread_mutex_init	74	0x552c00
pthread_mutex_lock	75	0x552ce0
pthread_mutex_timedlock	76	0x552fc0
pthread_mutex_trylock	77	0x553290
pthread_mutex_unlock	78	0x5533d0
pthread_mutexattr_destroy	79	0x5534d0
pthread_mutexattr_getkind_np	80	0x553500
pthread_mutexattr_getpshared	81	0x553510
pthread_mutexattr_getrobust	82	0x553540
pthread_mutexattr_gettype	83	0x553570
pthread_mutexattr_init	84	0x5535a0
pthread_mutexattr_setkind_np	85	0x5535e0
pthread_mutexattr_setpshared	86	0x5535f0
pthread_mutexattr_setrobust	87	0x553620
pthread_mutexattr_settype	88	0x553650
pthread_num_processors_np	89	0x553680
pthread_once	90	0x5536b0
pthread_rwlock_destroy	91	0x553730
pthread_rwlock_init	92	0x553870
pthread_rwlock_rdlock	93	0x553950
pthread_rwlock_timedrdlock	94	0x553a00
pthread_rwlock_timedwrlock	95	0x553ac0
pthread_rwlock_tryrdlock	96	0x553bc0
pthread_rwlock_trywrlock	97	0x553c70
pthread_rwlock_unlock	98	0x553d60
pthread_rwlock_wrlock	99	0x553de0
pthread_rwlockattr_destroy	100	0x553ee0
pthread_rwlockattr_getpshared	101	0x553f10
pthread_rwlockattr_init	102	0x553f40
pthread_rwlockattr_setpshared	103	0x553f70
pthread_self	104	0x553fb0
pthread_setcancelstate	105	0x554060
pthread_setcanceltype	106	0x554110
pthread_setconcurrency	107	0x5541c0
pthread_setschedparam	108	0x5541e0
pthread_setspecific	109	0x554230
pthread_spin_destroy	110	0x554320
pthread_spin_init	111	0x5543f0
pthread_spin_lock	112	0x5544e0
pthread_spin_trylock	113	0x554550
pthread_spin_unlock	114	0x5545c0
pthread_testcancel	115	0x554620
pthread_timechange_handler_np	116	0x554690
pthread_win32_process_attach_np	117	0x5546f0
pthread_win32_process_detach_np	118	0x554810
pthread_win32_test_features_np	119	0x554890
pthread_win32_thread_attach_np	120	0x5548b0
pthread_win32_thread_detach_np	121	0x5548c0
ptw32_get_exception_services_code	122	0x554f40
ptw32_pop_cleanup	123	0x555320
ptw32_push_cleanup	124	0x555480
sched_get_priority_max	125	0x555ca0
sched_get_priority_min	126	0x555cd0
sched_getscheduler	127	0x555d00
sched_setscheduler	128	0x555d60
sched_yield	129	0x555dd0
sem_close	130	0x555de0
sem_destroy	131	0x555df0
sem_getvalue	132	0x555eb0
sem_init	133	0x555f30
sem_open	134	0x555ff0
sem_post	135	0x556000
sem_post_multiple	136	0x556090
sem_timedwait	137	0x556150
sem_trywait	138	0x556220
sem_unlink	139	0x5562b0
sem_wait	140	0x5562c0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 17:11:11.029443026 CET	49705	80	192.168.2.5	49.4.55.6
Dec 23, 2024 17:11:11.149328947 CET	80	49705	49.4.55.6	192.168.2.5
Dec 23, 2024 17:11:11.152096033 CET	49705	80	192.168.2.5	49.4.55.6
Dec 23, 2024 17:11:11.152209044 CET	49705	80	192.168.2.5	49.4.55.6
Dec 23, 2024 17:11:11.271853924 CET	80	49705	49.4.55.6	192.168.2.5
Dec 23, 2024 17:11:12.706037045 CET	80	49705	49.4.55.6	192.168.2.5
Dec 23, 2024 17:11:12.706224918 CET	80	49705	49.4.55.6	192.168.2.5
Dec 23, 2024 17:11:12.706285954 CET	49705	80	192.168.2.5	49.4.55.6
Dec 23, 2024 17:11:12.706351042 CET	49705	80	192.168.2.5	49.4.55.6
Dec 23, 2024 17:11:13.499473095 CET	49706	80	192.168.2.5	114.115.204.103
Dec 23, 2024 17:11:13.619236946 CET	80	49706	114.115.204.103	192.168.2.5
Dec 23, 2024 17:11:13.619348049 CET	49706	80	192.168.2.5	114.115.204.103
Dec 23, 2024 17:11:13.619601965 CET	49706	80	192.168.2.5	114.115.204.103
Dec 23, 2024 17:11:13.739564896 CET	80	49706	114.115.204.103	192.168.2.5
Dec 23, 2024 17:11:13.884427071 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:14.004219055 CET	80	49707	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:14.004457951 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:14.004834890 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:14.124283075 CET	80	49707	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:15.192087889 CET	80	49706	114.115.204.103	192.168.2.5
Dec 23, 2024 17:11:15.192181110 CET	49706	80	192.168.2.5	114.115.204.103
Dec 23, 2024 17:11:15.587059975 CET	80	49707	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:15.587125063 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.457016945 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.458133936 CET	49708	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.576747894 CET	80	49707	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:16.577740908 CET	80	49708	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:16.577811003 CET	49708	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.582801104 CET	49708	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.587059021 CET	80	49707	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:16.587120056 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.604183912 CET	49707	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.605062962 CET	49709	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.702531099 CET	80	49708	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:16.723920107 CET	80	49707	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:16.724569082 CET	80	49709	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:16.724673986 CET	49709	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.727482080 CET	49709	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:16.847027063 CET	80	49709	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:18.172362089 CET	80	49708	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:18.172511101 CET	49708	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:18.328226089 CET	80	49709	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:18.328298092 CET	49709	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:19.172895908 CET	80	49708	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:19.172966957 CET	49708	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:19.328089952 CET	80	49709	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:19.328664064 CET	49709	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:51.866472960 CET	49709	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:51.867450953 CET	49708	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:51.870616913 CET	49790	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:51.870922089 CET	49791	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:51.986124992 CET	80	49709	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:51.987149000 CET	80	49708	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:51.990179062 CET	80	49790	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:51.990267038 CET	49790	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:51.990360975 CET	80	49791	47.117.77.180	192.168.2.5
Dec 23, 2024 17:11:51.990413904 CET	49791	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:52.249105930 CET	49706	80	192.168.2.5	114.115.204.103
Dec 23, 2024 17:11:52.249492884 CET	49790	80	192.168.2.5	47.117.77.180
Dec 23, 2024 17:11:52.249512911 CET	49705	80	192.168.2.5	49.4.55.6
Dec 23, 2024 17:11:52.252861023 CET	49791	80	192.168.2.5	47.117.77.180

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 17:11:10.486044884 CET	52925	53	192.168.2.5	1.1.1.1
Dec 23, 2024 17:11:10.974735975 CET	53	52925	1.1.1.1	192.168.2.5
Dec 23, 2024 17:11:13.267473936 CET	53474	53	192.168.2.5	1.1.1.1
Dec 23, 2024 17:11:13.498260021 CET	53	53474	1.1.1.1	192.168.2.5
Dec 23, 2024 17:11:13.530047894 CET	63172	53	192.168.2.5	1.1.1.1
Dec 23, 2024 17:11:13.883232117 CET	53	63172	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 17:11:10.486044884 CET	192.168.2.5	1.1.1.1	0x6862	Standard query (0)	softmgr-cfg.ludashi.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:11:13.267473936 CET	192.168.2.5	1.1.1.1	0x4552	Standard query (0)	softmgr-stat.ludashi.com	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:11:13.530047894 CET	192.168.2.5	1.1.1.1	0xa6ac	Standard query (0)	s.ludashi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 17:11:10.974735975 CET	1.1.1.1	192.168.2.5	0x6862	No error (0)	softmgr-cfg.ludashi.com	49.4.55.6	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:11:13.498260021 CET	1.1.1.1	192.168.2.5	0x4552	No error (0)	softmgr-stat.ludashi.com	114.115.204.103	A (IP address)	IN (0x0001)	false
Dec 23, 2024 17:11:13.883232117 CET	1.1.1.1	192.168.2.5	0xa6ac	No error (0)	s.ludashi.com	47.117.77.180	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

softmgr-cfg.ludashi.com

softmgr-stat.ludashi.com

s.ludashi.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	49.4.55.6	80	6200	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 17:11:11.152209044 CET	506	OUT	GET /inst/get3 HTTP/1.1 Accept: / Accept-Language: zh-CN,zh;q=0.9 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36 Host: softmgr-cfg.ludashi.com Content-Length: 204 Cache-Control: no-cache Data Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 63 49 61 49 66 58 74 79 7a 69 2f 6b 32 33 33 47 73 4b 6a 44 41 38 39 45 68 33 34 32 75 39 36 73 66 31 42 49 57 73 56 79 2f 5a 46 6c 4a 34 5a 69 48 35 41 33 6a 33 44 5a 32 48 76 4a 6f 75 47 55 52 7a 34 55 77 71 46 2f 47 34 51 4f 30 63 48 68 69 32 37 48 4d 48 52 6a 4d 6d 67 49 59 56 44 78 46 30 77 66 51 70 46 61 6e 4b 5a 43 53 4f 6f 7a 64 4a 42 69 54 73 77 30 67 4a 32 68 4f 4f 49 32 6b 63 32 4c 71 67 70 51 46 74 78 62 6d 31 73 67 2b 77 37 75 6c 72 48 70 6e 77 35 34 4a 6c 6c 73 4e 43 4c 6b 71 4e 34 69 5a 49 51 3d Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HcIaIfXtyzi/k233GsKjDA89Eh342u96sf1BIWsVy/ZFlJ4ZiH5A3j3DZ2HvJouGURz4UwqF/G4QO0cHhi27HMHRjMmgIYVDxF0wfQpFanKZCSOozdJBiTsw0gJ2hOOI2kc2LqgpQFtxbm1sg+w7ulrHpnw54JllsNCLkqN4iZIQ=
Dec 23, 2024 17:11:12.706037045 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:11:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/7.1.8 Server: elb Data Raw: 36 34 63 0d 0a 54 59 6e 61 39 70 77 68 6b 32 52 77 53 6c 48 2f 65 79 66 75 68 42 71 57 53 39 32 43 49 49 62 43 4f 76 71 74 37 4f 34 4b 35 52 34 30 2f 4a 44 50 78 36 35 35 45 6a 33 6c 4e 38 72 65 78 66 44 79 4f 51 38 62 46 38 43 37 63 70 4c 39 49 5a 32 46 4e 51 6e 76 51 5a 77 31 6e 6f 4f 4d 6e 2b 56 75 73 56 79 4a 61 62 4e 46 47 74 44 39 35 61 4a 58 49 2f 37 4f 5a 51 48 7a 76 42 36 58 6d 44 36 66 57 74 35 7a 38 4f 31 49 5a 56 37 35 2b 53 42 65 31 78 2f 59 2f 68 4d 73 63 53 75 51 57 72 71 65 70 57 48 55 6a 64 58 4c 30 6c 62 4d 6d 57 70 63 30 4c 30 32 6c 6d 44 6e 73 66 74 41 72 45 46 47 33 72 6b 4f 37 63 39 2f 36 52 35 42 65 32 30 72 37 55 6f 72 65 64 66 66 32 38 61 30 6b 33 2b 75 5a 54 4e 5a 44 31 30 62 55 58 4b 5a 65 46 5a 47 79 34 45 53 78 72 57 43 68 72 4a 61 42 4f 4f 51 66 66 48 63 6b 39 79 30 78 54 73 7a 4e 54 6f 2b 79 43 73 41 39 71 6e 51 67 70 52 72 6a 65 69 76 48 76 34 79 4b 4c 39 63 4d 69 57 47 32 67 44 37 6d 31 2b 4b 70 56 69 52 41 6d 71 7a 79 67 52 64 64 42 74 72 32 42 2f 6a 74 6b 56 46 56 [TRUNCATED] Data Ascii: 64cTYna9pwhk2RwSlH/eyfuhBqWS92CIIbCOvqt7O4K5R40/JDPx655Ej3lN8rexfDyOQ8bF8C7cpL9IZ2FNQnvQZw1noOMn+VusVyJabNFGtD95aJXI/7OZQHzvB6XmD6fWt5z8O1IZV75+SBe1x/Y/hMscSuQWrqepWHUjdXL0lbMmWpc0L02lmDnsftArEFG3rkO7c9/6R5Be20r7Uoredff28a0k3+uZTNZD10bUXKZeFZGy4ESxrWChrJaBOOQffHck9y0xTszNTo+yCsA9qnQgpRrjeivHv4yKL9cMiWG2gD7m1+KpViRAmqzygRddBtr2B/jtkVFVkq1b1kHebTcOCf5S8GwmMYFhnvcQGAYWt84ud2nOZmuAXJz+rHkjORLRMcb51cs4rHE/AbB131ysscSFV2Ldx+54/Kcbq+kEKrqAsOayj0Kej+JrvKokiWVoC17iyg92diG4AO1LL5mHqbexuLNeRQz9lBJGbR+0BFxQescsyqpl2ZXlsOxZTNZD10bUXKoIa7NcSnWc09lskUkl4T9Pmz4jTCUWzHkbc6WTukrZbUVp1/u3L7U415p+MaPHCcKhhnbAt33fAO45/Bookz3F9PPLlYRNk8ntzAMJZyCmzLPj6jIAkyf9fUXckWjRKgE+QHZgH2gtdMxDaOC3EQrBGLiCEDmYSQNwvZWGlJjJuq0VVk/ZlwiN9aDxIEWP2D112492xhbVqeBVW6uPQkXdGmJYm3KOsUoij0u4fSj73yQpelTXXp3NzpOkB7q9ViVvWEMz2IJznI8ldeavOfRMXY/kf5GjBvHWxyQWc6GH55PUNL61Pg5YXWBtEuEzoXW9F5AjKEQX2L9HqtuRZGxhbkwkrVNcDmJTE7CtIQG/oOj6WxCQlZRi0OarLR+dLRf9398vLAhHsmJ53iJZRJVLiE0A3aZ0GkNvTs3MCaelr3T+8XHSaUviXlvkbj3dwCLQ5qstH50tK7q87GYdr5rMmN/6k8wZ+hnkXq [TRUNCATED]
Dec 23, 2024 17:11:12.706224918 CET	597	IN	Data Raw: 71 33 52 2b 2f 54 56 45 63 4a 31 56 4c 6d 74 4b 64 76 4c 71 2b 6c 69 59 32 55 4b 65 79 5a 6a 53 58 70 64 61 7a 69 49 36 71 45 6b 69 58 44 31 35 70 64 32 57 48 64 4b 73 65 4b 51 4e 53 7a 7a 4c 56 2f 53 63 4d 2b 38 79 78 4e 6c 71 53 74 64 4f 51 45 Data Ascii: q3R+/TVEcJ1VLmtKdvLq+liY2UKeyZjSXpdaziI6qEkiXD15pd2WHdKseKQNSzzLV/ScM+8yxNlqStdOQEkItFe3nJ+/UtxJiM8fAPpZN2KPfxcK9iEFoD5nVUT8HJ998voqEeTRTlz6KQxa2w+zK4ebrvv+Dz1lrvzydSKRLcZF34ffMwNRpyBpMv+w1dVnC1zmOy3LU76X4kIGAJWT4VKliH6UrCOmdiLshrOMGyI+sSrw4AT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	114.115.204.103	80	6200	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 17:11:13.619601965 CET	620	OUT	POST /downloader/soft/reportNew HTTP/1.1 Accept: / Accept-Language: zh-CN,zh;q=0.9 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36 Host: softmgr-stat.ludashi.com Content-Length: 300 Cache-Control: no-cache Data Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 54 4f 68 6e 56 45 70 69 75 72 68 6f 58 65 32 71 62 79 42 4a 70 64 4a 31 49 6b 79 61 47 74 30 58 32 4a 6d 71 4f 46 35 59 79 41 35 58 58 58 4f 61 54 36 57 32 48 55 34 49 74 6d 77 58 49 75 44 6b 37 50 39 61 4b 4b 56 34 65 76 77 44 6c 51 64 55 78 47 46 51 33 59 53 46 6d 38 39 61 47 71 74 48 43 63 6f 74 53 66 4f 52 51 33 4d 63 35 56 4e 77 50 6c 54 75 4f 77 66 51 46 62 64 51 6d 54 69 43 6b 54 64 65 53 44 4c 36 74 52 36 57 33 68 77 70 68 38 67 55 56 31 64 44 33 52 65 54 33 62 62 4f 4e 6c 59 66 2b 6d 4c 38 68 67 63 79 59 34 66 59 6e 4e 59 70 32 55 68 4c 6f 48 52 4a 62 4d 52 4b 6f 5a 70 57 7a 38 64 65 30 41 69 41 73 5a 52 34 53 44 42 76 45 32 6e 48 4e 42 78 56 4e 73 4f 42 48 50 30 6e 61 72 51 55 4d 4f 42 6c 42 49 2b 74 63 30 7a 37 56 2f 37 59 39 67 69 4c 62 31 42 42 4f 31 66 62 4d 43 47 59 4f 75 68 34 4e 51 41 66 58 65 64 2b 4a 49 3d Data Ascii: 8j49N7eVpah7kxLaG9+KcTOhnVEpiurhoXe2qbyBJpdJ1IkyaGt0X2JmqOF5YyA5XXXOaT6W2HU4ItmwXIuDk7P9aKKV4evwDlQdUxGFQ3YSFm89aGqtHCcotSfORQ3Mc5VNwPlTuOwfQFbdQmTiCkTdeSDL6tR6W3hwph8gUV1dD3ReT3bbONlYf+mL8hgcyY4fYnNYp2UhLoHRJbMRKoZpWz8de0AiAsZR4SDBvE2nHNBxVNsOBHP0narQUMOBlBI+tc0z7V/7Y9giLb1BBO1fbMCGYOuh4NQAfXed+JI=
Dec 23, 2024 17:11:15.192087889 CET	276	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:11:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/7.1.8 Server: elb Data Raw: 33 38 0d 0a 33 73 53 57 46 4f 61 2f 77 38 58 74 79 46 71 79 49 5a 6c 45 6c 6c 44 6d 71 36 49 59 78 69 70 6a 41 6b 71 4c 75 6d 39 38 58 55 69 35 61 34 4a 51 75 4c 32 51 63 51 3d 3d 0d 0a 30 0d 0a 0d 0a Data Ascii: 383sSWFOa/w8XtyFqyIZlEllDmq6IYxipjAkqLum98XUi5a4JQuL2QcQ==0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	47.117.77.180	80	6200	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 17:11:14.004834890 CET	537	OUT	GET /url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.ludashi.com Connection: Keep-Alive
Dec 23, 2024 17:11:15.587059975 CET	228	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:11:15 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 0 Connection: keep-alive Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT ETag: "5e06b3b7-0" Accept-Ranges: bytes
Dec 23, 2024 17:11:16.457016945 CET	690	OUT	GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.ludashi.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	47.117.77.180	80	6200	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 17:11:16.582801104 CET	546	OUT	GET /url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.ludashi.com Connection: Keep-Alive
Dec 23, 2024 17:11:18.172362089 CET	228	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:11:17 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 0 Connection: keep-alive Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT ETag: "5e06b3b7-0" Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49709	47.117.77.180	80	6200	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 17:11:16.727482080 CET	729	OUT	GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[time]=0&ex_ary[errcode]=17_0_0_0&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: s.ludashi.com Connection: Keep-Alive
Dec 23, 2024 17:11:18.328226089 CET	228	IN	HTTP/1.1 200 OK Date: Mon, 23 Dec 2024 16:11:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 0 Connection: keep-alive Last-Modified: Sat, 28 Dec 2019 01:45:27 GMT ETag: "5e06b3b7-0" Accept-Ranges: bytes

Target ID:	0
Start time:	11:11:07
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe"
Imagebase:	0x400000
File size:	5'702'624 bytes
MD5 hash:	5D04DA31238FF20998723B09AFFD65D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:11:16
Start date:	23/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 1564
Imagebase:	0x960000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: global traffic	HTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: /Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-cfg.ludashi.comContent-Length: 204Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 63 49 61 49 66 58 74 79 7a 69 2f 6b 32 33 33 47 73 4b 6a 44 41 38 39 45 68 33 34 32 75 39 36 73 66 31 42 49 57 73 56 79 2f 5a 46 6c 4a 34 5a 69 48 35 41 33 6a 33 44 5a 32 48 76 4a 6f 75 47 55 52 7a 34 55 77 71 46 2f 47 34 51 4f 30 63 48 68 69 32 37 48 4d 48 52 6a 4d 6d 67 49 59 56 44 78 46 30 77 66 51 70 46 61 6e 4b 5a 43 53 4f 6f 7a 64 4a 42 69 54 73 77 30 67 4a 32 68 4f 4f 49 32 6b 63 32 4c 71 67 70 51 46 74 78 62 6d 31 73 67 2b 77 37 75 6c 72 48 70 6e 77 35 34 4a 6c 6c 73 4e 43 4c 6b 71 4e 34 69 5a 49 51 3d Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HcIaIfXtyzi/k233GsKjDA89Eh342u96sf1BIWsVy/ZFlJ4ZiH5A3j3DZ2HvJouGURz4UwqF/G4QO0cHhi27HMHRjMmgIYVDxF0wfQpFanKZCSOozdJBiTsw0gJ2hOOI2kc2LqgpQFtxbm1sg+w7ulrHpnw54JllsNCLkqN4iZIQ=
Source: global traffic	HTTP traffic detected: POST /downloader/soft/reportNew HTTP/1.1Accept: /Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-stat.ludashi.comContent-Length: 300Cache-Control: no-cacheData Raw: 38 6a 34 39 4e 37 65 56 70 61 68 37 6b 78 4c 61 47 39 2b 4b 63 54 4f 68 6e 56 45 70 69 75 72 68 6f 58 65 32 71 62 79 42 4a 70 64 4a 31 49 6b 79 61 47 74 30 58 32 4a 6d 71 4f 46 35 59 79 41 35 58 58 58 4f 61 54 36 57 32 48 55 34 49 74 6d 77 58 49 75 44 6b 37 50 39 61 4b 4b 56 34 65 76 77 44 6c 51 64 55 78 47 46 51 33 59 53 46 6d 38 39 61 47 71 74 48 43 63 6f 74 53 66 4f 52 51 33 4d 63 35 56 4e 77 50 6c 54 75 4f 77 66 51 46 62 64 51 6d 54 69 43 6b 54 64 65 53 44 4c 36 74 52 36 57 33 68 77 70 68 38 67 55 56 31 64 44 33 52 65 54 33 62 62 4f 4e 6c 59 66 2b 6d 4c 38 68 67 63 79 59 34 66 59 6e 4e 59 70 32 55 68 4c 6f 48 52 4a 62 4d 52 4b 6f 5a 70 57 7a 38 64 65 30 41 69 41 73 5a 52 34 53 44 42 76 45 32 6e 48 4e 42 78 56 4e 73 4f 42 48 50 30 6e 61 72 51 55 4d 4f 42 6c 42 49 2b 74 63 30 7a 37 56 2f 37 59 39 67 69 4c 62 31 42 42 4f 31 66 62 4d 43 47 59 4f 75 68 34 4e 51 41 66 58 65 64 2b 4a 49 3d Data Ascii: 8j49N7eVpah7kxLaG9+KcTOhnVEpiurhoXe2qbyBJpdJ1IkyaGt0X2JmqOF5YyA5XXXOaT6W2HU4ItmwXIuDk7P9aKKV4evwDlQdUxGFQ3YSFm89aGqtHCcotSfORQ3Mc5VNwPlTuOwfQFbdQmTiCkTdeSDL6tR6W3hwph8gUV1dD3ReT3bbONlYf+mL8hgcyY4fYnNYp2UhLoHRJbMRKoZpWz8de0AiAsZR4SDBvE2nHNBxVNsOBHP0narQUMOBlBI+tc0z7V/7Y9giLb1BBO1fbMCGYOuh4NQAfXed+JI=
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[time]=0&ex_ary[errcode]=17_0_0_0&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /inst/get3 HTTP/1.1Accept: /Accept-Language: zh-CN,zh;q=0.9Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36Host: softmgr-cfg.ludashi.comContent-Length: 204Cache-Control: no-cacheData Raw: 54 43 54 79 36 30 49 76 77 39 5a 57 4d 46 34 56 4e 45 79 50 6b 45 2b 37 4a 6b 55 4f 79 45 34 48 63 49 61 49 66 58 74 79 7a 69 2f 6b 32 33 33 47 73 4b 6a 44 41 38 39 45 68 33 34 32 75 39 36 73 66 31 42 49 57 73 56 79 2f 5a 46 6c 4a 34 5a 69 48 35 41 33 6a 33 44 5a 32 48 76 4a 6f 75 47 55 52 7a 34 55 77 71 46 2f 47 34 51 4f 30 63 48 68 69 32 37 48 4d 48 52 6a 4d 6d 67 49 59 56 44 78 46 30 77 66 51 70 46 61 6e 4b 5a 43 53 4f 6f 7a 64 4a 42 69 54 73 77 30 67 4a 32 68 4f 4f 49 32 6b 63 32 4c 71 67 70 51 46 74 78 62 6d 31 73 67 2b 77 37 75 6c 72 48 70 6e 77 35 34 4a 6c 6c 73 4e 43 4c 6b 71 4e 34 69 5a 49 51 3d Data Ascii: TCTy60Ivw9ZWMF4VNEyPkE+7JkUOyE4HcIaIfXtyzi/k233GsKjDA89Eh342u96sf1BIWsVy/ZFlJ4ZiH5A3j3DZ2HvJouGURz4UwqF/G4QO0cHhi27HMHRjMmgIYVDxF0wfQpFanKZCSOozdJBiTsw0gJ2hOOI2kc2LqgpQFtxbm1sg+w7ulrHpnw54JllsNCLkqN4iZIQ=
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=59cd53708ed730f0ef42bb01f668d936&ex_ary[method]=titan_sdk&ex_ary[time]=0&ex_ary[errcode]=17_0_0_0&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070321&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=lds.steampowere.top@@927966702176 HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.ludashi.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: softmgr-cfg.ludashi.com
Source: global traffic	DNS traffic detected: DNS query: softmgr-stat.ludashi.com
Source: global traffic	DNS traffic detected: DNS query: s.ludashi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Ludashi\{33EEB2C4-6866-4f3b-B2B4-594730B5DD84}.tf

C:\Program Files (x86)\Ludashi\{D8B6A3D8-E63E-4c7a-927C-B7032B9C9588}.tf

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ZOOM#U89c6#U9891_9891604cb1297265bb91bed08d9772ddf5edfcc_ade10476_80d56e64-0104-4a78-8a1a-309c024cd75e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B5D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CA6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CE6.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get3[1].htm

C:\Users\user\AppData\Local\Temp\{2572B3E2-D6D2-48e1-8785-B5D1B6CA6FBD}.tf

C:\Users\user\AppData\Roaming\titan\titan.lck

C:\Users\user\AppData\Roaming\titan\titan.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe