360ServerNet.exe

This executable has a PDB path (1 event)

pdb_path

C:\VSwork\Bypass360\x64\Release\HTTPRrnShe.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2021, 1:23 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263d0

size

0x000086ce

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263d0

size

0x000086ce

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263d0

size

0x000086ce

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263d0

size

0x000086ce

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000263d0

size

0x000086ce

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0002eaa0

size

0x0000004c

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0002eaf0

size

0x000002c4

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 18, 2021, 1:23 p.m.	snapshot_handle: 0x0000000000000088 process_name: mobsync.exe process_identifier: 1420	1	1	0
Process32NextW April 18, 2021, 1:23 p.m.	snapshot_handle: 0x0000000000000088 process_name: taskhost.exe process_identifier: 8552	1	1	0
Process32NextW April 18, 2021, 1:23 p.m.	snapshot_handle: 0x0000000000000088 process_name: cmd.exe process_identifier: 2240	1	1	0
Process32NextW April 18, 2021, 1:23 p.m.	snapshot_handle: 0x0000000000000088 process_name: conhost.exe process_identifier: 6168	1	1	0
Process32NextW April 18, 2021, 1:23 p.m.	snapshot_handle: 0x0000000000000088 process_name: 360ServerNet.exe process_identifier: 656	1	1	0
Process32NextW April 18, 2021, 1:23 p.m.	snapshot_handle: 0x0000000000000088 process_name: pw.exe process_identifier: 6240	1	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Cynet	Malicious (score: 100)
eGambit	PE.Heur.InvalidSig
CrowdStrike	win/malicious_confidence_80% (W)

Communicates with host for which no DNS query was performed (1 event)

host	172.217.25.14

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 18, 2021, 1:23 p.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x000000000000008c filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl April 18, 2021, 1:23 p.m.	input_buffer: control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY) device_handle: 0x000000000000008c output_buffer: Qÿ?	1	1	0