Edit tour

Windows Analysis Report
ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Overview

General Information

Sample name:	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe renamed because original name is a hash value
Original sample name:	ZOOM_b0138065277.exe
Analysis ID:	1579960
MD5:	5d04da31238ff20998723b09affd65d3
SHA1:	c00ada0d38135108c2028882ec9b340b905d667d
SHA256:	f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	46
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64

ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe (PID: 652 cmdline: "C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe" MD5: 5D04DA31238FF20998723B09AFFD65D3)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.6% probability

Cryptography

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_dbf2b802-9

Compliance

Uses 32bit PE files

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: _b015226917.pdb source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
Source:	Binary string: D:\Jenkins\.jenkins\workspace\install_project\install_main\install_and_uninstall\QAUSE_Release\Install.pdb source: setup.dll.0.dr

Networking

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%s
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%shttp://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&ur
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d/jsond/ping
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&url=%s&option=%s
Source: setup.dll.0.dr	String found in binary or memory: http://api.ludashi.com/pc/ud/eva0kaka888ormswhxmwlsystem_panuninst_fixhao123360gameboxsystem_appverm
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2229144189.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2230439104.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, setup.dll.0.dr	String found in binary or memory: http://cdn-file-ssl-bizhi.ludashi.com/bizhi/install/instext.cabhttp://cdn-file-ssl-monidashi.ludashi
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903791821.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2669960601.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2484978091.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2530174715.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2866556390.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludash
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2929022098.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2696910236.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2927161603.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903296620.0000000004F93000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F79000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903327269.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll6;;.
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2146264172.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2928090080.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2929235487.0000000002F79000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2231153193.0000000002F67000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2485205606.0000000002F67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn-titan-test.ludashi.com
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2229144189.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2230439104.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, setup.dll.0.dr	String found in binary or memory: http://ini.update.360safe.com/lds/update_patch.cab%s?t=%sunpack
Source: setup.dll.0.dr	String found in binary or memory: http://l.public.ludashi.com/pc/feedback/uninst
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://l.public.ludashi.com/pc/udldslite/dogSunhttp://l.public.ludashi.com/pc/ud/dogsundataerror
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903201438.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp, setup.dll.0.dr	String found in binary or memory: http://s.ludashi.com/url2?pid=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002FDC000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903296620.0000000004F93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownload&appver=6.1024.1225.801&modver
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901343912.00000000011D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modve
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.
Source: setup.dll.0.dr	String found in binary or memory: http://s.ludashi.com/url3?pid=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3&_
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2528929873.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102326888.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2353270577.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102270380.0000000001186000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901343912.00000000011D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-cfg.ludashi.com/inst/get3muiT
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNew
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewL
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewdownloader
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewe
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNewida
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softmgr-stat.ludashi.com/downloader/soft/reportNews
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: setup.dll.0.dr	String found in binary or memory: http://www.ludashi.com/cms/pc_mobile/quickxiaolu.php?channel=init
Source: setup.dll.0.dr	String found in binary or memory: http://www.ludashi.com/cms/service/jump.php?key=privacyagreementdisagree
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ludashi.com/lisence.htmlerror
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp, setup.dll.0.dr	String found in binary or memory: http://www.ludashi.com/stat/pc.php?pid=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2898256313.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.14.201.154/report/engine/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkv
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2669077395.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.14.201.154/report/engine/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&i
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2229144189.0000000005E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://106.14.201.154/report/flow/v2?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&ip=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2188935763.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://139.196.58.131/swarm/node/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&fid=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2353765396.0000000004FDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://139.196.58.131/swarm/play/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&type
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2930003570.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://139.196.58.131/swarm/stop/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2929512940.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2928946105.0000000005CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://139.196.58.131/swarm/stop/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&type
Source: setup.dll.0.dr	String found in binary or memory: https://cdn-file-ssl-pc.ludashi.com/pc/appstore/ludashi/ludashisetup2020.exe
Source: setup.dll.0.dr	String found in binary or memory: https://cdn-file-ssl.ludashi.com/pc/appstore/ludashi/ludashisetup.exeinstall
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3899873041.000000000019A000.00000004.00000010.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000111E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903201438.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_a
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll;e
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dllLMEM
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903201438.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dlli
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn-hsy-file-ssl-pc.ludashi.com/vP5.
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102186416.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102381818.0000000002F0D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102669649.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102614695.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102472077.0000000002F0D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102134702.0000000002F06000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102769891.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102008655.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101932068.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102962763.0000000002F15000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comRegulardv
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://paint-s.ludashi.com/allcommon?ptype=thundercdn&s=CProgressPage::RecheckDownloadTaskhttp_info
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx

System Summary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Memory allocated: 77030000 page execute and read and write

Jump to behavior

PE file contains executable resources (Code or Archives)

Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: DLL_7Z type: Microsoft Cabinet archive data, Windows 2000/XP setup, 531829 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 34 datablocks, 0x1 compression
Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: DLL_NETBRIDGE type: 7-zip archive data, version 0.4
Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: EXE_SIGNEX type: Microsoft Cabinet archive data, single, 323001 bytes, 1 file, at 0x1830 +A "KB931125.exe", flags 0x4, ID 818, number 1, extra bytes 6144 in head, 11 datablocks, 0x1 compression
Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: LAYER_ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: LAYER_ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: LAYER_ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: ludashi_lite_sem[1].dll.0.dr	Static PE information: Resource name: SETUPCONFIG type: 7-zip archive data, version 0.4
Source: setup.dll.0.dr	Static PE information: Resource name: DLL_7Z type: Microsoft Cabinet archive data, Windows 2000/XP setup, 531829 bytes, 1 file, at 0x2c +A "7z.dll", number 1, 34 datablocks, 0x1 compression
Source: setup.dll.0.dr	Static PE information: Resource name: DLL_NETBRIDGE type: 7-zip archive data, version 0.4
Source: setup.dll.0.dr	Static PE information: Resource name: EXE_SIGNEX type: Microsoft Cabinet archive data, single, 323001 bytes, 1 file, at 0x1830 +A "KB931125.exe", flags 0x4, ID 818, number 1, extra bytes 6144 in head, 11 datablocks, 0x1 compression
Source: setup.dll.0.dr	Static PE information: Resource name: LAYER_ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: setup.dll.0.dr	Static PE information: Resource name: LAYER_ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: setup.dll.0.dr	Static PE information: Resource name: LAYER_ZIP type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: setup.dll.0.dr	Static PE information: Resource name: SETUPCONFIG type: 7-zip archive data, version 0.4

Uses 32bit PE files

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.evad.winEXE@1/12@0/100

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File created: C:\Program Files (x86)\Ludashi

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get3[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Mutant created: \Sessions\1\BaseNamedObjects\CUSERSuserAPPDATAROAMINGDOWNLOADERDOWNLOADERLOG
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Mutant created: \Sessions\1\BaseNamedObjects\ThunderMissionDownloadingMutex

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File created: C:\Users\user\AppData\Local\Temp\{5BBC8DFD-94F3-432d-834A-C6D3561FB118}.tf

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: netbios.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: quserex.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: certificate valid

PE file exports many functions

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: More than 139 > 100 exports found

PE file has a big code size

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static file information: File size 5702624 > 1048576

PE file has a big raw section

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: Raw size of .inx1 is bigger than: 0x100000 < 0x566800

PE file contains a debug data directory

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: _b015226917.pdb source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
Source:	Binary string: D:\Jenkins\.jenkins\workspace\install_project\install_main\install_and_uninstall\QAUSE_Release\Install.pdb source: setup.dll.0.dr

Data Obfuscation

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .inx1

PE file contains sections with non-standard names

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Static PE information: section name: .inx0
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Static PE information: section name: .inx1

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ludashi_lite_sem[1].dll			Jump to dropped file
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	File created: C:\Users\user\AppData\Roaming\ludashi\setup.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: FB0005 value: E9 2B BA F0 75	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 76EBBA30 value: E9 DA 45 0F 8A	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 10E0008 value: E9 8B 8E E2 75	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 76F08E90 value: E9 80 71 1D 8A	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 10F0005 value: E9 8B 4D 98 74	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 75A74D90 value: E9 7A B2 67 8B	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 2D00005 value: E9 EB EB D8 72	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 75A8EBF0 value: E9 1A 14 27 8D	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 2D10005 value: E9 8B 8A 14 73	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 75E58A90 value: E9 7A 75 EB 8C	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 2D20005 value: E9 2B 02 16 73	Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Memory written: PID: 652 base: 75E80230 value: E9 DA FD E9 8C	Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900377712.000000000075A000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLLQ'I
Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900377712.000000000075A000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: D81AB8 second address: F2BEE2 instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 bts eax, edx 0x00000009 inc dx 0x0000000c xor bl, cl 0x0000000e sal dl, cl 0x00000010 mov edx, dword ptr [esp+ecx] 0x00000013 add ax, sp 0x00000016 cmp di, dx 0x00000019 neg ax 0x0000001c lea edi, dword ptr [edi-00000004h] 0x00000022 movzx eax, si 0x00000025 bswap eax 0x00000027 mov dword ptr [edi], edx 0x00000029 rcl al, FFFFFF82h 0x0000002c mov eax, dword ptr [esi] 0x0000002e clc 0x0000002f jmp 00007F2DA90B3F9Bh 0x00000034 add esi, 00000004h 0x0000003a clc 0x0000003b xor eax, ebx 0x0000003d xor eax, 05836C2Eh 0x00000042 clc 0x00000043 rol eax, 1 0x00000045 clc 0x00000046 add eax, 47AA4C98h 0x0000004b test esi, 25C5195Eh 0x00000051 jmp 00007F2DA93FDEA2h 0x00000056 bswap eax 0x00000058 cmp ch, 0000003Fh 0x0000005b xor ebx, eax 0x0000005d add ebp, eax 0x0000005f jmp 00007F2DA8ECC056h 0x00000064 lea eax, dword ptr [esp+60h] 0x00000068 cmp bp, di 0x0000006b test edi, 7F572217h 0x00000071 cmp edi, eax 0x00000073 ja 00007F2DA922A2EDh 0x00000079 push ebp 0x0000007a ret 0x0000007b movzx ecx, byte ptr [esi] 0x0000007e lea esi, dword ptr [esi+00000001h] 0x00000084 sal dh, 00000008h 0x00000087 xor cl, bl 0x00000089 bsr edx, ecx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: D0F75F second address: D0F779 instructions: 0x00000000 rdtsc 0x00000002 setno dh 0x00000005 dec ebp 0x00000006 btr dx, si 0x0000000a xadd edi, eax 0x0000000d not ebp 0x0000000f bsf si, si 0x00000013 bswap ebx 0x00000015 clc 0x00000016 lea ebp, dword ptr [ebp+ecx+00h] 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: 9064F1 second address: 9CAE9B instructions: 0x00000000 rdtsc 0x00000002 dec cl 0x00000004 neg cl 0x00000006 bts eax, edx 0x00000009 inc dx 0x0000000c xor bl, cl 0x0000000e sal dl, cl 0x00000010 mov edx, dword ptr [esp+ecx] 0x00000013 add ax, sp 0x00000016 cmp di, dx 0x00000019 neg ax 0x0000001c lea edi, dword ptr [edi-00000004h] 0x00000022 movzx eax, si 0x00000025 bswap eax 0x00000027 mov dword ptr [edi], edx 0x00000029 rcl al, FFFFFF82h 0x0000002c mov eax, dword ptr [esi] 0x0000002e clc 0x0000002f jmp 00007F2DA8FD1A2Ch 0x00000034 add esi, 00000004h 0x0000003a clc 0x0000003b xor eax, ebx 0x0000003d xor eax, 05836C2Eh 0x00000042 clc 0x00000043 rol eax, 1 0x00000045 clc 0x00000046 add eax, 47AA4C98h 0x0000004b test esi, 25C5195Eh 0x00000051 jmp 00007F2DA935CD48h 0x00000056 bswap eax 0x00000058 cmp ch, 0000003Fh 0x0000005b xor ebx, eax 0x0000005d add ebp, eax 0x0000005f jmp 00007F2DA90DAE4Eh 0x00000064 lea eax, dword ptr [esp+60h] 0x00000068 cmp bp, di 0x0000006b test edi, 7F572217h 0x00000071 cmp edi, eax 0x00000073 ja 00007F2DA9132EB8h 0x00000079 push ebp 0x0000007a ret 0x0000007b movzx ecx, byte ptr [esi] 0x0000007e lea esi, dword ptr [esi+00000001h] 0x00000084 sal dh, 00000008h 0x00000087 xor cl, bl 0x00000089 bsr edx, ecx 0x0000008c rdtsc
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	RDTSC instruction interceptor: First address: A0A22A second address: A0A244 instructions: 0x00000000 rdtsc 0x00000002 setno dh 0x00000005 dec ebp 0x00000006 btr dx, si 0x0000000a xadd edi, eax 0x0000000d not ebp 0x0000000f bsf si, si 0x00000013 bswap ebx 0x00000015 clc 0x00000016 lea ebp, dword ptr [ebp+ecx+00h] 0x0000001a rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ludashi_lite_sem[1].dll			Jump to dropped file
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ludashi\setup.dll			Jump to dropped file

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2528929873.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: setup.dll.0.dr

Binary or memory string: ComputerZTrayTipParentWorkerWSHELLDLL_DefViewSysListView32Program ManagerProgmanGet desktop wnd = %08xOpen Process failed, hWnd = %d, PID = %dVirtual Alloc Failed

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Queries volume information: C:\Users\user\AppData\Roaming\titan\titan.log VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Masquerading	1 Credential API Hooking	211 Security Software Discovery	Remote Services	1 Credential API Hooking	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	122 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	48%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://139.196.58.131/swarm/play/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&type	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3&_	0%	Avira URL Cloud	safe
https://139.196.58.131/swarm/stop/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewdownloader	0%	Avira URL Cloud	safe
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%shttp://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&ur	0%	Avira URL Cloud	safe
https://106.14.201.154/report/engine/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&i	0%	Avira URL Cloud	safe
http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewL	0%	Avira URL Cloud	safe
https://139.196.58.131/swarm/node/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&fid=	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNew	0%	Avira URL Cloud	safe
https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll6;;.	0%	Avira URL Cloud	safe
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%s	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/jsond/ping	0%	Avira URL Cloud	safe
https://cdn-file-ssl.ludashi.com/pc/appstore/ludashi/ludashisetup.exeinstall	0%	Avira URL Cloud	safe
https://106.14.201.154/report/engine/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkv	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewe	0%	Avira URL Cloud	safe
https://139.196.58.131/swarm/stop/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&type	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_a	0%	Avira URL Cloud	safe
https://106.14.201.154/report/flow/v2?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&ip=	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll;e	0%	Avira URL Cloud	safe
http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dll	0%	Avira URL Cloud	safe
http://cdn-file-ssl-bizhi.ludashi.com/bizhi/install/instext.cabhttp://cdn-file-ssl-monidashi.ludashi	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNews	0%	Avira URL Cloud	safe
http://softmgr-cfg.ludashi.com/inst/get3muiT	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dllLMEM	0%	Avira URL Cloud	safe
http://cdn-titan-test.ludashi.com	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dlli	0%	Avira URL Cloud	safe
http://softmgr-stat.ludashi.com/downloader/soft/reportNewida	0%	Avira URL Cloud	safe
http://l.public.ludashi.com/pc/udldslite/dogSunhttp://l.public.ludashi.com/pc/ud/dogsundataerror	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/vP5.	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4	0%	Avira URL Cloud	safe
https://cdn-hsy-file-ssl-pc.ludashi.com/	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&url=%s&option=%s	0%	Avira URL Cloud	safe
http://cdn-hsy-titan-test.ludash	0%	Avira URL Cloud	safe
http://l.public.ludashi.com/pc/feedback/uninst	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://s.ludashi.com/url2?pid=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp, setup.dll.0.dr	false		high
http://api.ludashi.com/pc/ud/eva0kaka888ormswhxmwlsystem_panuninst_fixhao123360gameboxsystem_appverm	setup.dll.0.dr	false		high
http://softmgr-cfg.ludashi.com/inst/get3&_	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://139.196.58.131/swarm/play/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&type	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2353765396.0000000004FDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://139.196.58.131/swarm/stop/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2930003570.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ludashi.com/cms/pc_mobile/quickxiaolu.php?channel=init	setup.dll.0.dr	false		high
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3899873041.000000000019A000.00000004.00000010.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000111E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903201438.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%shttp://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&ur	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://softmgr-cfg.ludashi.com/inst/get3	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2696910236.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2927161603.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false		high
http://www.ludashi.com/stat/pc.php?pid=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp, setup.dll.0.dr	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNewdownloader	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false		high
https://106.14.201.154/report/engine/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&i	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2669077395.0000000004FE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-thunder.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-file-ssl-pc.ludashi.com/pc/appstore/ludashi/ludashisetup2020.exe	setup.dll.0.dr	false		high
https://139.196.58.131/swarm/node/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&fid=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2188935763.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNew	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://softmgr-stat.ludashi.com/downloader/soft/reportNewL	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll6;;.	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903327269.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ludashi.comhttps://www.ludashi.com/page/contact.phpnx	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d%s?type=m3u8&url=%s&option=%s	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d/jsond/ping	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://106.14.201.154/report/engine/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkv	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2898256313.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url3?pid=	setup.dll.0.dr	false		high
https://cdn-file-ssl.ludashi.com/pc/appstore/ludashi/ludashisetup.exeinstall	setup.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://softmgr-stat.ludashi.com/downloader/soft/reportNewe	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903201438.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://139.196.58.131/swarm/stop/v1?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&type	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2929512940.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2928946105.0000000005CB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_a	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll;e	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-thunder.ludashi.com/pc/appstore/modules/PCStoreSetup_officialwebsite_1.2524.1115.929.dll	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_fail&appver=6.1024.1225.801&modver=6	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002FDC000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F79000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ludashi.com/cms/service/jump.php?key=privacyagreementdisagree	setup.dll.0.dr	false		high
https://106.14.201.154/report/flow/v2?os=Win&did=5E60B50E7817B54B820C84A02E49AC0F&sdkver=1.10.32&ip=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2229144189.0000000005E7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903296620.0000000004F93000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F79000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://softmgr-stat.ludashi.com/downloader/soft/reportNews	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-file-ssl-bizhi.ludashi.com/bizhi/install/instext.cabhttp://cdn-file-ssl-monidashi.ludashi	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2229144189.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2230439104.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, setup.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dllLMEM	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000116B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://softmgr-cfg.ludashi.com/inst/get3muiT	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2528929873.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102326888.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2353270577.00000000011C5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102270380.0000000001186000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901343912.00000000011D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dlli	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903201438.0000000004F16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn-hsy-file-ssl-pc.ludashi.com/vP5.	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ini.update.360safe.com/lds/update_patch.cab%s?t=%sunpack	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2229144189.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2230439104.00000000050D6000.00000004.00000020.00020000.00000000.sdmp, setup.dll.0.dr	false		high
https://paint-s.ludashi.com/allcommon?ptype=thundercdn&s=CProgressPage::RecheckDownloadTaskhttp_info	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://cdn-titan-test.ludashi.com	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2146264172.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2928090080.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2929235487.0000000002F79000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2231153193.0000000002F67000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2485205606.0000000002F67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://curl.haxx.se/docs/http-cookies.html	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://softmgr-stat.ludashi.com/downloader/soft/reportNewida	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102997939.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102584768.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2101960744.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2103252331.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102735887.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2102210116.0000000002EE7000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownload&appver=6.1024.1225.801&modver	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903296620.0000000004F93000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modve	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901343912.00000000011D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ludashi.com/lisence.htmlerror	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false		high
http://l.public.ludashi.com/pc/udldslite/dogSunhttp://l.public.ludashi.com/pc/ud/dogsundataerror	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2929022098.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-ocsp.symauth.com0	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	false		high
https://cdn-hsy-file-ssl-pc.ludashi.com/	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3901171175.000000000114D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:%d/titan_pcdn_service/%s?type=%s&url=%s&option=%s	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3900109695.0000000000681000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3902047957.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://l.public.ludashi.com/pc/feedback/uninst	setup.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://cdn-hsy-titan-test.ludash	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000002.3903791821.0000000005E0B000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2669960601.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2484978091.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2530174715.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe, 00000000.00000003.2866556390.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
118.168.26.146	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
61.187.250.66	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
14.155.197.235	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
14.155.138.233	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
120.209.45.232	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
36.49.53.120	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
113.24.200.150	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
175.11.193.102	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
112.112.175.100	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
121.204.101.59	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
222.68.0.143	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
116.1.56.125	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
120.41.29.64	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
115.192.189.158	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
139.196.187.113	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
175.20.148.127	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
221.220.141.39	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
211.142.225.237	unknown	China	56047	CMNET-HUNAN-APChinaMobilecommunicationscorporationCN	false
61.182.24.27	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
112.253.158.21	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
27.154.204.141	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
116.3.237.190	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
139.196.186.135	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
180.173.74.158	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
221.229.117.58	unknown	China	23650	CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba	false
182.89.226.9	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
223.95.196.172	unknown	China	56041	CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC	false
60.18.78.158	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
111.252.114.172	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
14.145.48.185	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
112.254.72.24	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
183.155.5.56	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
115.220.238.146	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
106.15.3.135	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
113.120.161.123	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
101.230.114.3	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
39.164.151.92	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
117.30.47.157	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
111.22.160.107	unknown	China	56047	CMNET-HUNAN-APChinaMobilecommunicationscorporationCN	false
222.88.231.41	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
220.184.24.19	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
1.190.180.120	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
117.43.169.221	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
58.62.86.240	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
1.192.41.201	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
122.226.38.194	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
119.114.198.31	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
183.214.222.11	unknown	China	56047	CMNET-HUNAN-APChinaMobilecommunicationscorporationCN	false
218.1.208.222	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
47.117.78.230	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
220.179.147.40	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
120.41.179.14	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
123.131.103.203	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
222.68.11.185	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
114.115.204.103	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
118.248.201.62	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
222.88.116.74	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
61.185.92.5	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
61.144.100.18	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
218.200.95.199	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
113.244.71.29	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
222.217.69.44	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
175.162.7.19	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
120.7.30.11	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
180.163.145.204	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
27.19.200.196	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
120.230.190.118	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
113.107.224.138	unknown	China	58466	CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN	false
223.96.44.142	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false
39.149.237.20	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
36.46.174.254	unknown	China	134768	CHINANET-SHAANXI-CLOUD-BASECHINANETSHAANXIprovinceCloud	false
219.145.170.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
112.19.145.143	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
60.216.20.78	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
1.203.77.220	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
183.4.21.205	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
115.221.120.223	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
124.113.217.98	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
60.189.227.27	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
222.95.57.210	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
118.249.81.71	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
61.170.81.214	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
60.191.194.46	unknown	China	136190	CHINATELECOM-ZHEJIANG-JINHUA-IDCJINHUAZHEJIANGProvince	false
124.72.163.250	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
221.219.178.46	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
101.132.165.251	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
117.30.84.167	unknown	China	133776	CHINATELECOM-FUJIAN-QUANZHOU-IDC1QuanzhouCN	false
221.197.231.66	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
180.163.141.178	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
119.34.192.60	unknown	China	17622	CNCGROUP-GZChinaUnicomGuangzhounetworkCN	false
182.200.213.158	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
101.24.81.224	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
117.89.164.84	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
122.5.55.22	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
183.236.243.101	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
112.18.130.128	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
115.173.205.4	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
124.114.68.13	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
171.36.146.190	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
111.15.169.139	unknown	China	24444	CMNET-V4SHANDONG-AS-APShandongMobileCommunicationCompany	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579960
Start date and time:	2024-12-23 17:16:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe renamed because original name is a hash value
Original Sample Name:	ZOOM_b0138065277.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@1/12@0/100
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Simulations

Behavior and APIs

Time	Type	Description
17:16:44	Task Scheduler	Run new task: {17C63F50-2E25-4B62-A9D0-A816FACF4DF6} path:

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINANET-BACKBONENo31Jin-rongStreetCN	armv7l.elf	Get hash	malicious	Unknown	Browse	119.99.247.94
	armv5l.elf	Get hash	malicious	Unknown	Browse	218.14.122.70
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	120.48.34.233
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	120.48.34.233
	armv6l.elf	Get hash	malicious	Unknown	Browse	61.146.165.65
	armv4l.elf	Get hash	malicious	Unknown	Browse	14.118.130.115
	2.elf	Get hash	malicious	Unknown	Browse	59.175.154.153
	3.elf	Get hash	malicious	Unknown	Browse	36.45.84.63
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	123.163.227.84
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	111.226.186.147
CHINANET-BACKBONENo31Jin-rongStreetCN	armv7l.elf	Get hash	malicious	Unknown	Browse	119.99.247.94
	armv5l.elf	Get hash	malicious	Unknown	Browse	218.14.122.70
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	120.48.34.233
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	120.48.34.233
	armv6l.elf	Get hash	malicious	Unknown	Browse	61.146.165.65
	armv4l.elf	Get hash	malicious	Unknown	Browse	14.118.130.115
	2.elf	Get hash	malicious	Unknown	Browse	59.175.154.153
	3.elf	Get hash	malicious	Unknown	Browse	36.45.84.63
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	123.163.227.84
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	111.226.186.147
CHINANET-BACKBONENo31Jin-rongStreetCN	armv7l.elf	Get hash	malicious	Unknown	Browse	119.99.247.94
	armv5l.elf	Get hash	malicious	Unknown	Browse	218.14.122.70
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	120.48.34.233
	G3izWAY3Fa.exe	Get hash	malicious	GhostRat, Nitol	Browse	120.48.34.233
	armv6l.elf	Get hash	malicious	Unknown	Browse	61.146.165.65
	armv4l.elf	Get hash	malicious	Unknown	Browse	14.118.130.115
	2.elf	Get hash	malicious	Unknown	Browse	59.175.154.153
	3.elf	Get hash	malicious	Unknown	Browse	36.45.84.63
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	123.163.227.84
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	111.226.186.147
HINETDataCommunicationBusinessGroupTW	armv7l.elf	Get hash	malicious	Unknown	Browse	1.168.57.167
	armv4l.elf	Get hash	malicious	Unknown	Browse	1.34.255.61
	2.elf	Get hash	malicious	Unknown	Browse	125.227.201.233
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	111.250.239.18
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	61.227.68.19
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	114.45.104.94
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	218.161.117.181
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	60.248.84.35
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	61.220.163.190
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	59.125.100.162

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.5880551257586273
Encrypted:	false
SSDEEP:	3:flqg5ld7Dvfn:Eg1z
MD5:	470D7AE326D4DDB41296F40805145885
SHA1:	3CCB8A34CFE3E9FF00AFAF824DB5F6572F9BCB9B
SHA-256:	D895537256DE024D8EFE9D60C876B969D45D4D78ECCC7C619D9E523BEBA70257
SHA-512:	F64CAA3A54786A9F6A23B5185BC54620DB3AF39A161A269AB9D2124202EB75E14E01451AC122339C480374730EF9670A2A72498CEAA0B7FEC62DA2EC89FF60AD
Malicious:	false
Reputation:	low
Preview:	{.A.8.F.5.E.F.4.9.-.8.F.4.1.-.4.4.0.4.

C:\Program Files (x86)\Ludashi\{EAA68A30-F424-490f-A2C0-65E597440781}.tf

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7684433618710838
Encrypted:	false
SSDEEP:	3:TleWPSzWRlkDl:TleWKyDk5
MD5:	4E3915FFE95C251BAAB6C0ECC0951615
SHA1:	EF09E4884A7F6599242781DD8158E0ECBDF4B6A2
SHA-256:	E00036DFBD9268F7A029CA69CA4D219085AF8EC6C3B176DAA015A156E824B989
SHA-512:	0FF12BEE81D2DD014280DF8092341E5C71C95CFF21AD0386DC993A2B9BA9D774A8A134FD20B0B11B07C66E780259F914CD4A2417969541DAA2C005A1041C7304
Malicious:	false
Reputation:	low
Preview:	{.E.A.A.6.8.A.3.0.-.F.4.2.4.-.4.9.0.f.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ludashi_lite_sem[1].dll

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59965440
Entropy (8bit):	7.9940659449827915
Encrypted:	true
SSDEEP:	1572864:wwdn7qL2uUfMysCgo+SOBD+feIMrgaFLBZRyN:97qL2XMyKo+nwoU6BZRc
MD5:	3A9F462FC739CF7F7BF381130532A224
SHA1:	07CAAAD44F8D5C5F2F69159C97F259CEAF0A81E8
SHA-256:	25D5CDB5D740A8C42846D6DB651A7281CE07A1B36347A1F8AAB3C424B110D263
SHA-512:	2F54AB18F64F1E2EF9E82BC9311A43F4F15BB437520DF665BE07B5920D49BF2F8B3F23DD690AC9924797EE75D26DECAA64BB66EEE1EB44CC0C2AFC9458849CF7
Malicious:	false
Reputation:	low
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......XHQ..)?..)?..)?.....)?.....)?.....)?..@:..)?..@7..)?..)?..)?.]N:..)?..@:..)?......)?.NA<..)?.NA;.=)?.NA:.Z)?.....)?.....)?.....5)?..)>..(?..@;..)?..@:.x)?..@?..)?..@...)?..)...)?..@=..)?.Rich.)?.........................PE..L......f...........!..........5.....=........................................0K.....P[p...@.........................@S..X....S.......@..../...........o..)....J.H...@...T...................8...........@............................................text...]........................... ..`.rdata...p.......r..................@..@.data...........v...h..............@....rsrc...../..@..../.................@..@.reloc..H.....J.......I.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get3[1].htm

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	ASCII text, with very long lines (1612), with no line terminators
Category:	dropped
Size (bytes):	1612
Entropy (8bit):	5.972451153692705
Encrypted:	false
SSDEEP:	48:wnRhMRXPghERuW6SbBh+uOfZEwfJ6T5fQtc6IKk/:wwRZ4DfZbfomthbk/
MD5:	3AF8D101B32C0B4E581A6B5306387CA0
SHA1:	8D85F91883EFAA1AF47D4D00C54445CA9BF0F15F
SHA-256:	2E4CEBA665CED52935F239B1AD8736EDDC327176DE5C7C34B4E225B95B5973C8
SHA-512:	53FDF2697E5469E55131E3855CFDB1198D00555DBEAB7F5FBFD7EDD26D13914E8EDCBA4902C46C427F80456E992870EC1E83D19805A33F10F0B767923A73D3D2
Malicious:	false
Reputation:	low
Preview:	TYna9pwhk2RwSlH/eyfuhBqWS92CIIbCOvqt7O4K5R40/JDPx655Ej3lN8rexfDyOQ8bF8C7cpL9IZ2FNQnvQZw1noOMn+VusVyJabNFGtD95aJXI/7OZQHzvB6XmD6fWt5z8O1IZV75+SBe1x/Y/hMscSuQWrqepWHUjdXL0lbMmWpc0L02lmDnsftArEFG3rkO7c9/6R5Be20r7Uoredff28a0k3+uZTNZD10bUXKZeFZGy4ESxrWChrJaBOOQffHck9y0xTszNTo+yCsA9qnQgpRrjeivHv4yKL9cMiWG2gD7m1+KpViRAmqzygRddBtr2B/jtkVFVkq1b1kHebTcOCf5S8GwmMYFhnvcQGAYWt84ud2nOZmuAXJz+rHkjORLRMcb51cs4rHE/AbB131ysscSFV2Ldx+54/Kcbq+kEKrqAsOayj0Kej+JrvKokiWVoC17iyg92diG4AO1LL5mHqbexuLNeRQz9lBJGbR+0BFxQescsyqpl2ZXlsOxZTNZD10bUXKoIa7NcSnWc09lskUkl4T9Pmz4jTCUWzHkbc6WTukrZbUVp1/u3L7U415p+MaPHCcKhhnbAt33fAO45/Bookz3F9PPLlYRNk8ntzAMJZyCmzLPj6jIAkyf9fUXckWjRKgE+QHZgH2gtdMxDaOC3EQrBGLiCEDmYSQNwvZWGlJjJuq0VVk/ZlwiN9aDxIEWP2D112492xhbVqeBVW6uPQkXdGmJYm3KOsUoij0u4fSj73yQpelTXXp3NzpOkB7q9ViVvWEMz2IJznI8ldeavOfRMXY/kf5GjBvHWxyQWc6GH55PUNL61Pg5YXWBtEuEzoXW9F5AjKEQX2L9HqtuRZGxhbkwkrVNcDmJTE7CtIQG/oOj6WxCQlZRi0OarLR+dLRf9398vLAhHsmJ53iJZRJVLiE0A3aZ0GkNvTs3MCaelr3T+8XHSaUviXlvkbj3dwCLQ5qstH50tK7q87GYdr5rMmN/6k8w

C:\Users\user\AppData\Local\Temp\{5BBC8DFD-94F3-432d-834A-C6D3561FB118}.tf

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.8081742830375824
Encrypted:	false
SSDEEP:	3:xl8VhIGFT4Tn:QsGyTn
MD5:	C898EA1A24ADDDC26DE1CC1EDCC79255
SHA1:	534A229B71D74429D5F65C42CAB1AD1AC4E9F203
SHA-256:	7F74A758968DBF943F238657E6C6396DE7EF043ACF5949193C3C264CBE14738C
SHA-512:	5FB5E70022969972C3F2132B32ED4CFFC743B5776637FE0EFF541D6A62A8A1DB78CDC5C9904E9C91919CAF0CC8D8632BE8093237C89F1CD73D9C1E2E1BCB6179
Malicious:	false
Reputation:	low
Preview:	{.5.B.B.C.8.D.F.D.-.9.4.F.3.-.4.3.2.d.

C:\Users\user\AppData\Roaming\ludashi\setup.dll

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59965440
Entropy (8bit):	7.9940659449827915
Encrypted:	true
SSDEEP:	1572864:wwdn7qL2uUfMysCgo+SOBD+feIMrgaFLBZRyN:97qL2XMyKo+nwoU6BZRc
MD5:	3A9F462FC739CF7F7BF381130532A224
SHA1:	07CAAAD44F8D5C5F2F69159C97F259CEAF0A81E8
SHA-256:	25D5CDB5D740A8C42846D6DB651A7281CE07A1B36347A1F8AAB3C424B110D263
SHA-512:	2F54AB18F64F1E2EF9E82BC9311A43F4F15BB437520DF665BE07B5920D49BF2F8B3F23DD690AC9924797EE75D26DECAA64BB66EEE1EB44CC0C2AFC9458849CF7
Malicious:	false
Reputation:	low
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......XHQ..)?..)?..)?.....)?.....)?.....)?..@:..)?..@7..)?..)?..)?.]N:..)?..@:..)?......)?.NA<..)?.NA;.=)?.NA:.Z)?.....)?.....)?.....5)?..)>..(?..@;..)?..@:.x)?..@?..)?..@...)?..)...)?..@=..)?.Rich.)?.........................PE..L......f...........!..........5.....=........................................0K.....P[p...@.........................@S..X....S.......@..../...........o..)....J.H...@...T...................8...........@............................................text...]........................... ..`.rdata...p.......r..................@..@.data...........v...h..............@....rsrc...../..@..../.................@..@.reloc..H.....J.......I.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\titan\titan.config

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.184774568998512
Encrypted:	false
SSDEEP:	3:Yhsh/zrSdLE1wR64:YK/PSdL4k64
MD5:	B5139CFFB128D1E8A322435D94AC8EDE
SHA1:	D3BCA53F836C21E3764CD734237E2DBA6166CA71
SHA-256:	8574918F55BC23C3B0976E4C03B1B132DD43110552E7B46E9804575CE61632AF
SHA-512:	14D02F019653CE50202A1A5F731B860A00B9D886F0124AB2B2228B01318980C6976ED20067AB3C69386537395594D2232656C4E0EDFBCF1CBB9B3FC941EFDAB8
Malicious:	false
Reputation:	low
Preview:	{"DID": "5E60B50E7817B54B820C84A02E49AC0F"}

C:\Users\user\AppData\Roaming\titan\titan.dns

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	386
Entropy (8bit):	4.827032055355833
Encrypted:	false
SSDEEP:	6:YcJlSJqzW1dXlRxQ0ihKUIRoKfMGhK7gW4QlIK7gnM75LN:YshzexeKUIRoKfMGhKn4DK375LN
MD5:	1ACAD7940251ECDCEFE66FEDE9E5D4A3
SHA1:	2FEC29C6AF25D831B09DB1FF19EB52B826FA103D
SHA-256:	1452F6894E697E5D6ACD75431EA19F8C55B2B4E9F213ECF0409D14BE05769D0E
SHA-512:	D0CC36E971A3E057F38B67B8F029F67EE7EFC8209C2B37E13B25662FA1102C773C4A41EB2D218AC37510595BAFF8F2B6A93310265668F676D49DAD71F3B02688
Malicious:	false
Preview:	{"resolve_time":1734970623826,"domain_cache":[{"domain":"dns2.titannetwork.cn","addrs":["106.15.185.153"]},{"domain":"gw.titannetwork.cn","addrs":["106.14.201.154"]},{"domain":"meta.titannetwork.cn","addrs":["139.196.58.131"]},{"domain":"probe.titannetwork.cn","addrs":["106.15.3.135"]},{"domain":"probe6.titannetwork.cn","addrs":["2408:4002:10c2:8d01:345a:d733:4f1a:bc1e"]}]}2828220133

C:\Users\user\AppData\Roaming\titan\titan.global

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.9257229389828545
Encrypted:	false
SSDEEP:	3:YVXA4IE9WW2t1KdBLs6R9LeyX9JKORHX3HfjlCgMhfCmAVKMDDtDd:Y9A4IxW2iXfR93XrK2HX3LlCHfZwKMDb
MD5:	887642ABC1F4A1A62FA0139C344A4E3E
SHA1:	F05C51584D1CFCA1307A16AF7CF1CBF6162ACC18
SHA-256:	7C226B276161B383292236D271D52465E451D0A9D332942167BBBDF4A7A53D21
SHA-512:	866C0D5A7534E6637BA6DD38F8470BE73A0929EA6D82E84875A9EF93B6D09BE18CEE31A54B5C516E26F07BA67467C6472A5D498058050164576120EEB6CB4548
Malicious:	false
Preview:	{"pre_connection_hosts":["http://cdn-titan-test.ludashi.com"],"boot_timeout":3500,"boot_len":979968,"bprefetch":979968,"quit_report_flow":1}2653224338

C:\Users\user\AppData\Roaming\titan\titan.lck

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:D:D
MD5:	3250320DCAF3B60F1417B7B37986C4A3
SHA1:	5B88AE9BE6FB4236E3471519ABB479A3670B49CD
SHA-256:	40A7E9ACB06295D6CCC4DE8B5790AA4CEA3456F9BB1DD3E91F192BA5CA98BF97
SHA-512:	793859F6180B0F9A812524D3E031572CBD4D42438EFBEA528F3EB04FF2CEDDC118CD730E0E87DE4D20CE872148963C2A8B3183122DB6952E11662A0BCF708D9E
Malicious:	false
Preview:	titan

C:\Users\user\AppData\Roaming\titan\titan.log

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	ASCII text, with very long lines (432), with CRLF line terminators
Category:	dropped
Size (bytes):	156264
Entropy (8bit):	5.3782000014645535
Encrypted:	false
SSDEEP:	768:R3MM5dEvje7qxyf+8toh2D+7ooWhTivnu4abJ:syf+8tknu4k
MD5:	64845515DF69B8BD4EA2AA12D3AAFD6E
SHA1:	A545E50F1DD588F8AEC10838F547643E99661840
SHA-256:	F448C88BE7A9AE81501C853C7D9800481337065BAB186683226C5A64F2E9F35F
SHA-512:	3F227520C00254AE8F845059159B61D0FA7D616A042F46482F9DBDA45911D8E071831011B5D3B5E9521423E627F405254455E2F0175F8C30B6CF2C385FDC38C5
Malicious:	false
Preview:	[TitanSDK][16:17:00.453][init] platform(x86), version=1.10.32(13b7797)..[TitanSDK][16:17:00.453][init] workspace=C:\Users\user\AppData\Roaming\titan, params={"token":1583396110,"listen_port":29983,"pause_timeout":0,"sleep_timeout":0,"http_header_bypass_keys":[ ]}..[TitanSDK][16:17:00.453][did] gen ok. 5E60B50E7817B54B820C84A02E49AC0F..[TitanSDK][16:17:00.469][socket] tcp listen ok. port=29983, socket=1852..[TitanSDK][16:17:00.469][coordinate] set pause=0, sleep=180000..[TitanSDK][16:17:00.469][native] initialize ok..[TitanSDK][16:17:00.469][udp] listen_port ipv4=57315..[TitanSDK][16:17:00.469][dns] load dns cache ok, interval=0..[TitanSDK][16:17:00.484][tnetwork] network changed..[TitanSDK][16:17:00.484][probe] ip add: ips=1 (47.103.0.197, 0.0.0.0, 2408:4002:10c2:8d01:345a:d733:4f1a:bc1d)..[TitanSDK][16:17:00.500][native] open_swarm: swarm_id=1, type=2, url=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll, options={"SCHED_BOOT_LEN":100000,

C:\Users\user\AppData\Roaming\titan\titan.report-native

Download File

Process:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3639
Entropy (8bit):	5.122310271088732
Encrypted:	false
SSDEEP:	24:YWVuetfQuhxItYuetfQuZIpuetfQu3UAIfuetfQuLD+uetfQuxrH2uetfQuSCXul:YWQUullaV0LLymYV+sV+
MD5:	3871853D35036BF911F10CDC0C44F99B
SHA1:	E5BFB811CEA79A5082CA6909AF185B2FF1B26296
SHA-256:	9164F009FDC0667724EE1E3E279ED92EE50A9DA8E95A7B9A67FD29B0EE1E4D96
SHA-512:	8C4BA93926E4B5E5889BC52929EECE9B14F89D9731C63DD55CB990FCA764A6D5642E29C045EAF8A6BB063A00EF5D5006F7EF5C2CF052BA19D4809B98D7D96AC6
Malicious:	false
Preview:	{"ver":1,"ts":1734970626708,"url":"http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll","vid":"F24BA54EA53E3242970EF0191ED1D138","ctype":2,"cdn":111360,"cdnR":0,"p2p":0,"p2pR":0}..{"ver":1,"ts":1734970631729,"url":"http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll","vid":"F24BA54EA53E3242970EF0191ED1D138","ctype":2,"cdn":1128960,"cdnR":9920,"p2p":5640,"p2pR":0}..{"ver":1,"ts":1734970636738,"url":"http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll","vid":"F24BA54EA53E3242970EF0191ED1D138","ctype":2,"cdn":2193920,"cdnR":0,"p2p":0,"p2pR":0}..{"ver":1,"ts":1734970641738,"url":"http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll","vid":"F24BA54EA53E3242970EF0191ED1D138","ctype":2,"cdn":0,"cdnR":0,"p2p":3314910,"p2pR":2820}..{"ver":1,"ts":1734970646738,"url":"http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.41

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.943805867073643
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
File size:	5'702'624 bytes
MD5:	5d04da31238ff20998723b09affd65d3
SHA1:	c00ada0d38135108c2028882ec9b340b905d667d
SHA256:	f1ea3dd89b90fd6f29ea9addb9e30a4a527f8f83bb9e9d26c2faf05f21c209aa
SHA512:	ccb33dd91218101b59018d951d909c6827472c4645ac1fed59645c172beb532756fea8b559d3fa74d58f80b8016b6c575d9a54113c5c076b46c692cb6c9d68cb
SSDEEP:	98304:YpTSnAWfADmVwKQWTacPJ/XQuPFfybqxb1Dfb/yy38iH/pw1XSIfUEbnUme0/aoP:mGA1DmbT3d5Z/y+EfUEAaaNk/
TLSH:	5A46233343294249E4D4CD3D9A37BEE971F20B1B8A82BCF419DABDC225769D9D312913
File Content Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$.......?..K{...{...{...r.*.c...)...y...)...v...{...o...............1...:...........x.......}....F~.q.......}...)...f.......t...)...G..

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0xd4515f
Entrypoint Section:	.inx1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66AB597B [Thu Aug 1 09:46:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7528c6fa6e50b11c85c6d043d7885b65

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	21/05/2024 02:00:00 21/05/2027 01:59:59
Subject Chain	CN=\u6210\u90fd\u5947\u9c81\u79d1\u6280\u6709\u9650\u516c\u53f8, O=\u6210\u90fd\u5947\u9c81\u79d1\u6280\u6709\u9650\u516c\u53f8, L=\u6210\u90fd\u5e02, S=\u56db\u5ddd\u7701, C=CN, SERIALNUMBER=91510100394487762T, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=\u6210\u90fd\u9ad8\u65b0\u6280\u672f\u4ea7\u4e1a\u5f00\u53d1\u533a, OID.1.3.6.1.4.1.311.60.2.1.2=\u56db\u5ddd\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Version:	3
Thumbprint MD5:	167BAFFC1D053557B1345BFD490610CB
Thumbprint SHA-1:	EC5BB0C4BE5D6F7CD9D863D6585CF1F3EF58FDA0
Thumbprint SHA-256:	CCFC26C7FC15163972E6E15716C46CFBCBB4D516F2F0DC3FA1A4687B09566AE8
Serial:	0D078E70EAEE48FFEB9576BDD400BE98

Entrypoint Preview

Instruction
jmp 00007F2DA8FDF8EAh
sub eax, dword ptr [edi]
sub eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F2DA8FA1858h
inc edx
clc
stc
cmc
rol edx, 02h
jmp 00007F2DA90B7007h
mov ecx, 520D5AF8h
mov ecx, 240DA85Bh
pop ebx
push ss
mov esp, 7F4980F2h
dec ebx
out CCh, al
out 5Ah, eax
or eax, 869E25C3h
fiadd word ptr [edi+eax+52950D45h]
lodsb
xlatb
or eax, 912372C6h
aaa
pmulhw mm5, qword ptr [ebp+0Dh]
pop eax
je 00007F2DA8FDF937h
pushfd
or eax, 69364D23h
stosd
fdivp st(5), st(0)
push 0000004Ch
out dx, eax
adc byte ptr [esp+ebp-35h], bh
ucomiss xmm4, dqword ptr [edx]
push esp
mov esp, BF339426h
call far 53F8h : DDCB3FCAh
inc ecx
shr byte ptr [edi-3Fh], cl
dec edx
call far eax
stosd
or eax, 5A58BC72h
sub ebp, dword ptr [edi]
pop eax
xchg eax, edx
mov bl, 5Ch
sahf
arpl word ptr [eax+ebx], cx
ret
push es
pop eax
retf

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x8de3f8	0x11e1	.inx1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x909564	0x1f4	.inx1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb73000	0x6cc5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x56da00	0x29e0	.inx0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb713a0	0x54	.inx1
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9a1be8	0x20	.inx1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb70e30	0x40	.inx1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x90c000	0xf0	.inx1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xa0ea24	0x240	.inx1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27fc9d	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x281000	0x966fc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x318000	0x41cc1	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.inx0	0x35a000	0x2b1587	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.inx1	0x60c000	0x566800	0x566800	31af098794bbb3df39acc8a8d2a5d5cb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb73000	0x6cc5	0x6e00	2b11349975ab4f16539a67ce40472b65	False	0.17634943181818183	data	4.515454659195658	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xb73220	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.21321961620469082
RT_ICON	0xb740c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.3953068592057762
RT_ICON	0xb74970	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.4479768786127168
RT_ICON	0xb74ed8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.09948132780082987
RT_ICON	0xb77480	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.12593808630393996
RT_ICON	0xb78528	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.19680851063829788
RT_GROUP_ICON	0xb78990	0x5a	data	Chinese	China	0.7
RT_VERSION	0xb789ec	0x240	data	Chinese	China	0.5208333333333334
RT_MANIFEST	0xb78c2c	0x1099	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.21440338903271358

Imports

DLL	Import
KERNEL32.dll	GetVersionExW
USER32.dll	SendMessageW
OLEAUT32.dll	VariantInit
dbghelp.dll	MakeSureDirectoryPathExists
VCRUNTIME140.dll	_except_handler4_common
api-ms-win-crt-string-l1-1-0.dll	strcmp
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vswprintf
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit
api-ms-win-crt-heap-l1-1-0.dll	calloc
api-ms-win-crt-locale-l1-1-0.dll	_unlock_locales
api-ms-win-crt-math-l1-1-0.dll	modf
api-ms-win-crt-convert-l1-1-0.dll	strtoul
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s
api-ms-win-crt-filesystem-l1-1-0.dll	_wsplitpath_s
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-conio-l1-1-0.dll	_getch
WINMM.dll	timeGetTime
WLDAP32.dll
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetUserObjectInformationW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Exports

Name	Ordinal	Address
TitanSDK_AddHttpHeaderBypassKey	1	0x4a85c0
TitanSDK_AsyncOpenSession	2	0x4a8cc0
TitanSDK_CloseSession	3	0x4a8da0
TitanSDK_CloseSwarm	4	0x4a8bf0
TitanSDK_GetDownloadUrl	5	0x4a8960
TitanSDK_GetFlow	6	0x4a8ed0
TitanSDK_GetFlowDone	7	0x4a8fb0
TitanSDK_GetVodUrl	8	0x4a87c0
TitanSDK_OnNetworkChanged	9	0x4a87b0
TitanSDK_OpenSwarm	10	0x4a8b10
TitanSDK_PlayQuality	11	0x4a8e70
TitanSDK_PlayStatistics	12	0x4a8ea0
TitanSDK_SetListenPort	13	0x4a84e0
TitanSDK_SetPauseTimeout	14	0x4a84f0
TitanSDK_SetSleepTimeout	15	0x4a8500
TitanSDK_SetStartCallback	16	0x4a8b00
TitanSDK_SetToken	17	0x4a84d0
TitanSDK_SetWorkspace	18	0x4a8560
TitanSDK_Start	19	0x4a8630
TitanSDK_Stop	20	0x4a8710
pthreadCancelableTimedWait	21	0x5518b0
pthreadCancelableWait	22	0x5518c0
pthread_attr_destroy	23	0x5518e0
pthread_attr_getdetachstate	24	0x551920
pthread_attr_getinheritsched	25	0x551950
pthread_attr_getschedparam	26	0x551980
pthread_attr_getschedpolicy	27	0x5519b0
pthread_attr_getscope	28	0x5519e0
pthread_attr_getstackaddr	29	0x551a00
pthread_attr_getstacksize	30	0x551a30
pthread_attr_init	31	0x551a60
pthread_attr_setdetachstate	32	0x551ac0
pthread_attr_setinheritsched	33	0x551b00
pthread_attr_setschedparam	34	0x551b40
pthread_attr_setschedpolicy	35	0x551ba0
pthread_attr_setscope	36	0x551bd0
pthread_attr_setstackaddr	37	0x551c00
pthread_attr_setstacksize	38	0x551c30
pthread_barrier_destroy	39	0x551c60
pthread_barrier_init	40	0x551d00
pthread_barrier_wait	41	0x551d80
pthread_barrierattr_destroy	42	0x551e20
pthread_barrierattr_getpshared	43	0x551e50
pthread_barrierattr_init	44	0x551e80
pthread_barrierattr_setpshared	45	0x551eb0
pthread_cancel	46	0x551ee0
pthread_cond_broadcast	47	0x552020
pthread_cond_destroy	48	0x552040
pthread_cond_init	49	0x5521f0
pthread_cond_signal	50	0x552340
pthread_cond_timedwait	51	0x552360
pthread_cond_wait	52	0x552380
pthread_condattr_destroy	53	0x5523a0
pthread_condattr_getpshared	54	0x5523d0
pthread_condattr_init	55	0x552400
pthread_condattr_setpshared	56	0x552430
pthread_create	57	0x552460
pthread_delay_np	58	0x5525a0
pthread_detach	59	0x5526a0
pthread_equal	60	0x552760
pthread_exit	61	0x552780
pthread_getconcurrency	62	0x5527c0
pthread_getschedparam	63	0x5527d0
pthread_getspecific	64	0x552820
pthread_getunique_np	65	0x552850
pthread_getw32threadhandle_np	66	0x552860
pthread_getw32threadid_np	67	0x552870
pthread_join	68	0x552880
pthread_key_create	69	0x552950
pthread_key_delete	70	0x5529c0
pthread_kill	71	0x552a60
pthread_mutex_consistent	72	0x552ac0
pthread_mutex_destroy	73	0x552b00
pthread_mutex_init	74	0x552c00
pthread_mutex_lock	75	0x552ce0
pthread_mutex_timedlock	76	0x552fc0
pthread_mutex_trylock	77	0x553290
pthread_mutex_unlock	78	0x5533d0
pthread_mutexattr_destroy	79	0x5534d0
pthread_mutexattr_getkind_np	80	0x553500
pthread_mutexattr_getpshared	81	0x553510
pthread_mutexattr_getrobust	82	0x553540
pthread_mutexattr_gettype	83	0x553570
pthread_mutexattr_init	84	0x5535a0
pthread_mutexattr_setkind_np	85	0x5535e0
pthread_mutexattr_setpshared	86	0x5535f0
pthread_mutexattr_setrobust	87	0x553620
pthread_mutexattr_settype	88	0x553650
pthread_num_processors_np	89	0x553680
pthread_once	90	0x5536b0
pthread_rwlock_destroy	91	0x553730
pthread_rwlock_init	92	0x553870
pthread_rwlock_rdlock	93	0x553950
pthread_rwlock_timedrdlock	94	0x553a00
pthread_rwlock_timedwrlock	95	0x553ac0
pthread_rwlock_tryrdlock	96	0x553bc0
pthread_rwlock_trywrlock	97	0x553c70
pthread_rwlock_unlock	98	0x553d60
pthread_rwlock_wrlock	99	0x553de0
pthread_rwlockattr_destroy	100	0x553ee0
pthread_rwlockattr_getpshared	101	0x553f10
pthread_rwlockattr_init	102	0x553f40
pthread_rwlockattr_setpshared	103	0x553f70
pthread_self	104	0x553fb0
pthread_setcancelstate	105	0x554060
pthread_setcanceltype	106	0x554110
pthread_setconcurrency	107	0x5541c0
pthread_setschedparam	108	0x5541e0
pthread_setspecific	109	0x554230
pthread_spin_destroy	110	0x554320
pthread_spin_init	111	0x5543f0
pthread_spin_lock	112	0x5544e0
pthread_spin_trylock	113	0x554550
pthread_spin_unlock	114	0x5545c0
pthread_testcancel	115	0x554620
pthread_timechange_handler_np	116	0x554690
pthread_win32_process_attach_np	117	0x5546f0
pthread_win32_process_detach_np	118	0x554810
pthread_win32_test_features_np	119	0x554890
pthread_win32_thread_attach_np	120	0x5548b0
pthread_win32_thread_detach_np	121	0x5548c0
ptw32_get_exception_services_code	122	0x554f40
ptw32_pop_cleanup	123	0x555320
ptw32_push_cleanup	124	0x555480
sched_get_priority_max	125	0x555ca0
sched_get_priority_min	126	0x555cd0
sched_getscheduler	127	0x555d00
sched_setscheduler	128	0x555d60
sched_yield	129	0x555dd0
sem_close	130	0x555de0
sem_destroy	131	0x555df0
sem_getvalue	132	0x555eb0
sem_init	133	0x555f30
sem_open	134	0x555ff0
sem_post	135	0x556000
sem_post_multiple	136	0x556090
sem_timedwait	137	0x556150
sem_trywait	138	0x556220
sem_unlink	139	0x5562b0
sem_wait	140	0x5562c0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Target ID:	0
Start time:	11:16:54
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe"
Imagebase:	0x400000
File size:	5'702'624 bytes
MD5 hash:	5D04DA31238FF20998723B09AFFD65D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Ludashi\{A8F5EF49-8F41-4404-81B5-5884F74E7604}.tf

C:\Program Files (x86)\Ludashi\{EAA68A30-F424-490f-A2C0-65E597440781}.tf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\ludashi_lite_sem[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\get3[1].htm

C:\Users\user\AppData\Local\Temp\{5BBC8DFD-94F3-432d-834A-C6D3561FB118}.tf

C:\Users\user\AppData\Roaming\ludashi\setup.dll

C:\Users\user\AppData\Roaming\titan\titan.config

C:\Users\user\AppData\Roaming\titan\titan.dns

C:\Users\user\AppData\Roaming\titan\titan.global

C:\Users\user\AppData\Roaming\titan\titan.lck

C:\Users\user\AppData\Roaming\titan\titan.log

C:\Users\user\AppData\Roaming\titan\titan.report-native

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe