Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2024, 1:25 p.m.	Aug. 4, 2024, 1:39 p.m.

Size	449.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`d161e13cf0731d0b55ad38d6a38cdc21`
SHA256	`847e71dbcd3917dad9ebc1ad63d497c3257acfeb47164f61423846e1c5dab272`
CRC32	`13BCC298`
ssdeep	`12288:Dkq5oiAasoIqnylPWE8Bgq0VxR9H4kIeguM:DkDiAalPnxtKDfg`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

jf.exe "C:\Users\test22\AppData\Local\Temp\jf.exe"
2548
- cmd.exe cmd /c C:\\Windows\\Temp\\drsx\\hl.bat
  2660
  - svchosi.exe C:\Windows\Temp\drsx\svchosi.exe
    2728
    - cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL
      2464
  - svchosl.exe C:\Windows\Temp\drsx\svchosl.exe
    2804
  - net.exe net stop xbbrowser_service
    2876
    - net1.exe C:\Windows\system32\net1 stop xbbrowser_service
      2920
  - net.exe net stop xblanupdate_svc
    2964
    - net1.exe C:\Windows\system32\net1 stop xblanupdate_svc
      3008
  - PING.EXE ping -n 3 127.0.0.1
    3056
  - svchoxb.exe C:\Windows\Temp\drsx\svchoxb.exe
    1384

Name	Response	Post-Analysis Lookup
qbuniplugin.html5.qq.com	A 43.135.106.117 CNAME ins-issntgh2.ias.tencent-cloud.net A 43.135.106.184	43.135.106.117
p0.qhimg.com	A 54.192.175.94 CNAME d2aydouiit1aqm.cloudfront.net A 54.192.175.95 A 54.192.175.113 A 54.192.175.23	54.192.175.113
game.kde.qq.com	A 129.226.107.124 CNAME ins-agc8farb.ias.tencent-cloud.net A 129.226.103.24	129.226.103.24
aegis.qq.com	A 43.137.221.145	43.137.221.145
www.baidu.com	CNAME www.a.shifen.com CNAME www.wshifen.com A 119.63.197.139 A 119.63.197.151	119.63.197.139
api.bilibili.com	A 164.52.44.50 A 164.52.47.54 CNAME a.w.bilicdn1.com CNAME i.w.bilicdn1.com	164.52.44.50
live.bilibili.com	A 164.52.44.50 A 164.52.47.54 CNAME a.w.bilicdn1.com CNAME i.w.bilicdn1.com	164.52.47.54
pcwup.imtt.qq.com	CNAME ins-gfjodimo.ias.tencent-cloud.net A 183.47.104.158 A 183.47.126.106 A 14.22.9.100	14.22.9.100
wn.pos.baidu.com	CNAME wn.pos.e.shifen.com A 182.61.200.11	182.61.200.11
dns.google	A 8.8.8.8 A 8.8.4.4	8.8.4.4
dgss0.bdstatic.com	CNAME sslsharev6.jomodns.com A 45.113.192.82 CNAME sslshare.gshifen.com	45.113.192.82
ss0.baidu.com	CNAME sslbaidu.jomodns.com CNAME sslbaidu.gshifen.com A 185.10.104.109	185.10.104.109
live-s3m.mediav.com	CNAME nuqp59eo.sched.vodtylego.tdnsvod1.cn CNAME chinavod367.china.line.qiniudns.com CNAME live-s3m-mediav-com-idvnowx.aigccdn.com CNAME live-s3m.mediav.com.live.360vcloud.com CNAME live-s3m.mediav.com.cdn.dnsv1.com A 58.216.28.63 A 58.216.28.64	111.174.12.100
ssxd.mediav.com	CNAME ss-lb.mdvdns.qhcdn.com A 112.65.69.51	112.65.69.51
hw-v2-web-player-tracker.biliapi.net	A 101.91.136.148 A 101.91.134.222 A 101.91.133.30	101.91.136.148
b60ec859c86b068d2351ce983cebdb01.rdt.tfogc.com	A 175.4.55.182	175.4.55.182
b33fca1920f4832d8e3dfbf4c7432b50.rdt.tfogc.com	A 113.141.160.48	113.141.160.48
pcupd.com	A 139.196.217.38	139.196.217.38
46accc8a55ff111839e2072af218a509.rdt.tfogc.com	A 183.214.144.4	183.214.144.4
hotlist.imtt.qq.com	A 129.226.103.169 A 43.154.240.245 CNAME ins-wrsramn3.ias.tencent-cloud.net	43.154.240.245
xy120x209x212x19xy.mcdn.bilivideo.cn	A 120.209.212.19	120.209.212.19
s1.mdvdns.com	CNAME ganmin-wrr.qhcdn.com A 180.163.247.250 A 112.65.69.52	112.65.69.52
hm.baidu.com	A 14.215.182.140 A 111.45.11.83 A 14.215.183.79 A 111.45.3.198 CNAME hm.e.shifen.com A 183.240.98.228	111.45.3.198
cpro.baidustatic.com	CNAME cpro.baidustatic.com.a.bdydns.com A 220.169.152.38 CNAME opencdnbdwm2.jomodns.com	220.169.152.38
r3---sn-j5o7dn7e.gvt1-cn.com	A 113.108.239.196 CNAME r3.sn-j5o7dn7e.gvt1-cn.com	113.108.239.196
mbd.baidu.com	CNAME mbd.n.shifen.com CNAME mbd.wshifen.com A 103.235.47.212	103.235.47.212
www.google.com	A 142.250.76.132	142.250.76.132
rpt.gdt.qq.com	CNAME rpt.gdt.qq.com.eo.dnse0.com A 43.159.119.111 A 43.159.118.117	43.159.118.117
optimizationguide-pa.googleapis.com	A 142.250.196.234 A 142.250.71.202 A 142.251.222.202 A 172.217.27.42 A 142.250.71.138 A 172.217.31.10 A 142.250.197.10 A 142.251.130.10 A 142.250.76.10 A 142.250.66.106 A 142.250.197.42 A 142.250.76.234 A 142.250.197.74 A 142.250.71.234 A 142.250.66.138 A 142.250.71.170	172.217.161.234
novel.html5.qq.com	CNAME ins-wpvrc8z8.ias.tencent-cloud.net A 129.226.106.211 A 129.226.107.80	129.226.107.80
sc0.hao123img.com	A 58.254.180.65 CNAME sc0.hao123img.com.a.bdydns.com CNAME opencdncloudv6.jomodns.com	58.254.180.65
9d215ea2cab88371652c1ef094554b8f.rdt.tfogc.com	A 183.214.144.2	183.214.144.2
snowflake.qq.com	A 43.129.2.38 CNAME ins-mbckwsy9.ias.tencent-cloud.net A 43.129.2.170	43.129.2.170
wup.imtt.qq.com	A 43.154.240.161 A 43.154.240.64 A 43.154.240.217	43.154.240.161
cm.bilibili.com	A 164.52.44.50 A 164.52.47.54 CNAME a.w.bilicdn1.com CNAME i.w.bilicdn1.com	164.52.47.54
max-l.mediav.com	CNAME max-dr.mdvdns.qihucdn.cn A 180.163.247.134	180.163.247.134
sofire.baidu.com	A 36.110.192.107 CNAME newsofire.n.shifen.com	36.110.192.107
jx.cdn.qhstatic.com	A 104.192.110.245 CNAME jx.cdn.qhstatic.com.qh-cdn.com A 101.198.192.8 A 101.198.192.7 CNAME jx.cdn.qhstatic.com.webcdn.360qhcdn.com	104.192.108.192
dhrest.2345.com	A 180.163.196.140	180.163.196.140
www.bilibili.com	CNAME a.w.bilicdn1.com CNAME i.w.bilicdn1.com A 164.52.44.50 A 164.52.47.54	164.52.44.50
adsmind.gdtimg.com	CNAME ovslmt.mid.apdcdn.com CNAME gslb.lmtlego.sched.apdcdn.com CNAME adsmind.gdtimg.com.tcdn.qq.com A 211.152.132.216	211.152.132.216
v.qq.com	CNAME v.qq.com.edgekey.net CNAME e5956.f.akamaiedge.net A 23.7.212.166	23.7.212.166
imgcdn.toutiaoyule.com	A 61.184.9.227 A 61.163.171.161 A 120.226.150.228 A 111.47.229.228 CNAME sz-ucloud-ipv4.ucloudnaming.info A 171.15.110.193 A 1.193.215.228 A 111.6.185.173 CNAME imgcdn.toutiaoyule.com.ucloudnaming.cn A 111.47.131.99 A 120.226.0.192 A 36.158.204.228 CNAME 61f34558.cdn.ucloud.com.cn	111.47.229.228
puui.qpic.cn	CNAME puui.qpic.cn-v1.edgesuite.net A 23.201.35.178 CNAME a1971.b.akamai.net A 23.201.35.240	23.210.247.59
st.tencent-cloud.com	CNAME st-tencent-cloud.lmtlego.sched.apdcdn.com CNAME st.tencent-cloud.com.tegsea.tc.qq.com A 211.152.132.216	211.152.132.216
dhps.2345.com	CNAME dhalishc.cname.2345.com A 180.163.203.99	180.163.203.99
static.res.qq.com	CNAME static.res.qq.com.cloud.tc.qq.com CNAME static.res.qq.com.sched.legopic2-dk.tdnsv6.com A 112.84.131.76 A 112.84.131.72 A 119.188.155.60 A 36.250.242.243 A 119.188.174.57 A 211.97.92.163 A 123.138.13.58 A 113.194.51.61 A 113.194.51.58 A 119.188.174.56 A 122.188.37.91 A 221.204.14.52 A 14.205.93.62 A 211.97.92.160 A 36.250.242.247	36.250.242.247
183ac55a26eb8ed3211e476f89a40d34.rdt.tfogc.com	A 111.4.66.14	111.4.66.14
dhrest-static.2345.com	A 61.170.80.233 A 61.170.80.230 A 61.170.80.231 A 61.170.80.227 A 61.170.80.226 A 61.170.80.229 CNAME dhrest-static.2345.com.w.kunluncan.com A 61.170.80.228 A 61.170.80.232	180.163.147.217
m4.publicimg.browser.qq.com	CNAME m4.publicimg.browser.qq.com.cloud.tc.qq.com CNAME m4.publicimg.browser.qq.com.sched.px.tdnsv6.com A 203.205.136.84 A 203.205.136.160 A 43.152.15.45	43.152.15.45
www.2345.com	CNAME www.2345.com.w.alikunlun.com A 163.181.22.237 A 163.181.22.234 A 163.181.22.235 A 163.181.22.205 A 163.181.22.233 A 163.181.22.238 A 163.181.22.236 A 163.181.22.206	163.181.22.236
cdn.nfa.qq.com	CNAME 2qu3tu16.sched.sma-dk.tdnsstic1.cn A 42.177.83.82 A 119.188.149.190 A 14.205.93.60 A 36.249.65.247 A 61.241.178.243 A 36.249.92.207 A 42.177.83.111 A 27.221.71.235 CNAME cdn.nfa.qq.com.cdn.dnsv1.com A 60.13.97.138 A 60.221.17.244 A 112.84.131.219 A 116.196.152.179 A 61.243.13.56	42.177.83.82
gss0.bdstatic.com	A 45.113.192.82 CNAME sslshare.jomodns.com CNAME sslshare.gshifen.com	45.113.192.82
arms-retcode.aliyuncs.com	A 47.110.39.46 A 47.96.223.80 A 47.96.83.41 A 47.99.58.69 A 114.55.180.23 A 47.110.73.164	47.96.83.41
ckmap.mediav.com	CNAME max.mdvdns.qhcdn.com A 180.163.247.134	180.163.247.134
bd-js1.2345.com	CNAME bd-js1.2345.com.cname4790.yjs-cdn.com A 112.25.90.131	112.25.90.131
35d956a39c11b2a14f588d401b8eb2ea.rdt.tfogc.com	A 183.95.181.108	183.95.181.108
mc.minibai.com	A 118.24.85.16	118.24.85.16
6252cfceac8fd2546906f4522c07fff2.rdt.tfogc.com	A 219.144.77.71	219.144.77.71
d9bfba694e0c428248140c78286d3793.rdt.tfogc.com	A 58.19.46.75	58.19.46.75
h.trace.qq.com	A 129.226.102.234 A 129.226.106.225 CNAME ins-diu1q33u.ias.tencent-cloud.net	129.226.102.234
lupic.cdn.bcebos.com	CNAME opencdnsslv6.jomodns.com A 175.4.51.35 A 171.214.24.35 A 125.74.42.35 CNAME lupic.cdn.bcebos.com.a.bdydns.com A 182.140.225.35 A 125.74.1.35 A 124.239.243.35 A 150.138.188.35 A 183.61.177.35 A 171.214.23.35 A 182.84.110.35	60.188.66.35
f7.baidu.com	CNAME opencdnbdimgtn.gshifen.com CNAME opencdnbdimgtn.jomodns.com CNAME f7.baidu.com.a.bdydns.com A 103.235.45.243	103.235.45.243
hector.baidu.com	A 39.156.68.81	39.156.68.81
xy117x158x188x37xy.mcdn.bilivideo.cn	A 117.158.188.37	117.158.188.37
i2.hdslb.com	A 122.10.154.133 A 122.10.154.134 CNAME i0.hdslb.com.g4.bdydns.com A 122.10.154.135 CNAME i0.hdslb.com.g0.bdydns.com	122.10.154.135
www-cdn.2345cdn.net	CNAME www-cdn.2345cdn.net.w.kunluncan.com A 180.163.145.204 A 180.163.145.200 A 180.163.145.205 A 180.163.145.202 A 180.163.145.201 A 180.163.145.207 A 180.163.145.203 A 180.163.145.206	180.163.207.108
otheve.beacon.qq.com	CNAME ins-u4xprfqu.ias.tencent-cloud.net A 129.226.106.210 A 129.226.103.123	129.226.106.210
ss1.baidu.com	CNAME sslbaidu.jomodns.com CNAME sslbaidu.gshifen.com A 185.10.104.109	185.10.104.109
v.gdt.qq.com	CNAME v.gdt.qq.com.eo.dnse0.com A 43.159.119.111 A 43.159.118.117	43.159.118.117
s3m4.fenxi.com	CNAME ucloud-internal.v.ucnaming.com A 180.97.252.44 A 180.97.252.31 CNAME s3m4.fenxi.com.qh-cdn.com CNAME uc-jn.ucloud.com.cn.ucnaming.com A 180.97.252.32 A 180.97.252.38 A 180.97.252.26 A 180.97.252.23 A 180.97.252.40 A 180.97.252.29 A 180.97.252.41 CNAME 2e0e966c.cdn.ucloud.com.cn A 180.97.252.43	175.6.254.74
7b42f7424e8c39d30019cf95ef41ef02.rdt.tfogc.com	A 175.4.55.179	175.4.55.179
cn-sccd-cu-01-09.bilivideo.com	A 101.206.209.10	101.206.209.10
www.aliyunpay.shop	A 118.178.125.54	118.178.125.54
daohang.qq.com	A 43.154.240.84 CNAME ins-yskxifo9.ias.tencent-cloud.net A 43.154.254.142	43.154.240.84
hectorstatic.baidu.com	CNAME hectorstatic.baidu.com.a.bdydns.com A 61.170.99.38 A 61.170.103.38 A 121.14.135.38 A 113.142.207.38 CNAME opencdnbd.jomodns.com A 171.107.86.38 A 106.225.194.38 A 118.212.224.38 A 140.249.244.38 A 180.97.198.38 A 118.212.230.38	113.142.207.38
vr.gdt.qq.com	CNAME vr.gdt.qq.com.eo.dnse0.com A 43.159.118.117 A 43.159.119.111	43.159.118.117
tv.puui.qpic.cn	CNAME tv.puui.qpic.cn.cdn.dnsv1.com.cn CNAME hpalcvha.ovslegodl.sched.ovscdns.com A 43.155.149.126 A 211.152.132.208 A 211.152.132.204 A 211.152.132.209 A 43.155.149.128 A 211.152.132.205 A 43.159.81.60 A 43.155.149.136 A 38.60.181.33 A 150.109.222.148 A 38.60.181.38 A 203.205.157.127 A 38.60.181.35 A 150.109.222.144 A 150.109.223.153	38.60.181.35
daohang.browser.qq.com	A 43.154.240.84 CNAME ins-yskxifo9.ias.tencent-cloud.net A 43.154.254.142	43.154.240.84
ca8ac9a6f86c4d42a7e731d17aa125db.rdt.tfogc.com	A 113.141.160.228	113.141.160.228
web.50bangzh.com	A 103.255.201.170 A 180.101.190.124	180.101.190.124
pos.baidu.com	A 103.235.46.94 CNAME cb.e.shifen.com	103.235.46.94
pbaccess.video.qq.com	CNAME ins-hsvf0lhv.ias.tencent-cloud.net A 43.155.124.103 A 43.129.2.182 A 43.135.105.208	43.155.124.103
content-autofill.googleapis.com	A 142.250.196.234 A 142.250.71.202 A 142.251.222.202 A 142.250.76.234 A 172.217.24.234 A 142.250.71.138 A 142.250.197.10 A 142.250.207.74 A 142.251.130.10 A 142.250.76.10 A 142.250.66.106 A 142.250.197.42 A 172.217.24.106 A 142.250.197.74 A 142.250.66.138 A 142.250.71.170	142.250.206.202
www.591888.vip	A 38.147.189.238	38.147.189.238
oth.str.beacon.qq.com	A 14.22.9.242 A 14.22.9.112 CNAME ins-3rwdn7ul.ias.tencent-cloud.net A 14.22.9.180	14.22.9.180
www.aliyunpay.shop		118.178.125.54
pss.bdstatic.com	CNAME pss.bdstatic.com.a.bdydns.com CNAME opencdnglobal.gshifen.com CNAME opencdnbdpss.jomodns.com A 103.235.45.242	103.235.45.242
newtab.browser.qq.com	CNAME ins-46fgf3ge.ias.tencent-cloud.net A 43.135.106.42 A 43.135.106.212	43.135.106.42
bdb4e1d1d90392c080815d268dfe7f87.rdt.tfogc.com	A 183.214.52.52	183.214.52.52
dss2.bdstatic.com	CNAME sslbaiduv6.jomodns.com A 185.10.104.109 CNAME sslbaidu.gshifen.com	185.10.104.109
search.sogoucdn.com	A 38.60.181.35 A 43.159.81.60 A 211.152.132.208 A 211.152.132.209 A 211.152.132.204 CNAME 96lit7od.ovslegodl-dk.sched.ovscdns.com A 211.152.132.205 A 43.155.149.126 A 38.60.181.33 A 38.60.181.38 A 43.155.149.136 A 150.109.222.148 A 150.109.223.153 CNAME search.sogoucdn.com.cdn.dnsv1.com A 150.109.222.144 A 43.155.149.128 A 203.205.157.127	43.159.81.60
0a0a389bc8b2293cdc7b734e9cf84e2f.rdt.tfogc.com	A 113.141.160.198	113.141.160.198
accounts.google.com	A 74.125.23.84	64.233.188.84
vfiles.gtimg.cn	CNAME vfiles.gtimg.cn.cdn.ettdnsv.com CNAME vfiles.lmtlego.sched.apdcdn.com A 211.152.132.216	211.152.132.216
beacon.cdn.qq.com	A 38.60.181.35 A 43.159.81.60 A 150.109.223.153 CNAME beacon.cdn.qq.com.cdn.dnsv1.com A 211.152.132.209 A 211.152.132.204 CNAME best.ovslegodl.sched.ovscdns.com A 211.152.132.205 A 43.155.149.126 A 38.60.181.33 A 38.60.181.38 A 43.155.149.136 A 150.109.222.148 A 211.152.132.208 A 43.155.149.128 A 150.109.222.144 A 203.205.157.127	211.152.132.208
index-api.2345.com	A 180.101.190.124 CNAME dhwxc.cname.2345.com	180.101.190.124
vd6.l.qq.com	CNAME ins-xgpf4nqt.ias.tencent-cloud.net A 129.226.107.33	129.226.107.33
t12.baidu.com	CNAME t12.baidu.com.a.bdydns.com CNAME opencdnbdsimage.jomodns.com A 175.4.51.36 A 125.74.42.36 A 125.74.1.36 A 182.84.110.36 A 150.138.188.36 A 183.61.177.36 A 171.214.24.36 A 182.140.225.36 A 124.239.243.36 A 171.214.23.36	111.225.213.36
sfp.safe.baidu.com	A 36.110.219.204	36.110.219.204
pb.sogou.com	A 36.155.164.39 A 36.155.183.168 A 36.155.167.208 A 36.155.183.169 A 36.155.166.212 A 36.150.217.117	36.155.166.212
data.ab.qq.com	CNAME ins-djp2m4ow.ias.tencent-cloud.net A 43.154.254.142 A 43.154.240.84	43.154.254.142
s3m6.mdvdns.com	A 104.192.110.245 A 101.198.192.8 CNAME s3m6.mdvdns.com.qh-cdn.com CNAME s3m6.mdvdns.com.webcdn.360qhcdn.com A 101.198.192.7	104.192.108.23
api.live.bilibili.com	A 164.52.44.50 A 164.52.47.54 CNAME a.w.bilicdn1.com CNAME i.w.bilicdn1.com	164.52.47.54
as1.m.hao123.com	A 42.81.8.130 CNAME as1.m.hao123.com.cname210.yjs-cdn.com	42.81.8.130
code.bdstatic.com	CNAME opencdnglobal.jomodns.com CNAME opencdnglobal.gshifen.com CNAME code.bdstatic.com.a.bdydns.com A 103.235.45.242	103.235.45.242
ipsad.l.qq.com	A 43.159.233.95 A 43.129.2.69 CNAME ins-axl5fb54.ias.tencent-cloud.net	43.129.2.69
6ad41852c351bbdf31590130781c1f5c.rdt.tfogc.com	A 175.153.180.110	175.153.180.110
passport-plugin.hao184.com	A 180.163.145.182 CNAME passport-plugin.hao184.com.w.kunluncan.com	61.170.80.232
sapi-wzdh.2345.com	CNAME 1501308122401296.cn-shanghai.fc.aliyuncs.com A 47.102.123.53 A 139.224.227.189 CNAME cn-shanghai-fc-sh-waitan.fc.aliyuncs.com	47.102.123.53
publiclog.zhiyan.tencent-cloud.net	A 121.14.77.149	121.14.77.149
zj-cn-live-comet.chat.bilibili.com	CNAME broadcastlv.chat.bilibili.com CNAME broadcastlv-sh.chat.biliapi.com A 47.101.160.136 A 106.15.230.200 A 139.224.134.15 A 106.14.212.156 A 47.103.86.90 A 139.224.232.216 A 47.101.72.34 A 47.102.106.6 A 47.103.12.10 A 47.101.167.190 A 47.100.115.13 A 47.101.65.12 A 47.101.171.250 A 47.101.146.78 A 47.101.68.63 A 47.101.177.98	47.103.12.10
b.bdstatic.com	A 61.170.103.48 A 118.212.224.48 A 106.225.194.48 A 121.14.135.48 A 171.107.86.48 A 61.170.99.48 A 118.212.230.48 CNAME bcstobos.jomodns.com A 140.249.244.48 A 113.142.207.48 A 180.97.198.48	117.68.52.48
256c3d9bfaf9b50b26a3007eed50f82a.rdt.tfogc.com	A 111.4.66.8	111.4.66.8
passport.baidu.com	CNAME passport.n.shifen.com A 45.113.194.250	45.113.194.250
www-stream.2345cdn.net	CNAME www-stream.2345cdn.net.w.alikunlun.com A 163.181.22.235 A 163.181.22.206 A 163.181.22.236 A 163.181.22.237 A 163.181.22.234 A 163.181.22.238 A 163.181.22.205 A 163.181.22.233	163.181.22.205
checkip.amazonaws.com	CNAME checkip.ap-southeast-1.prod.check-ip.aws.a2z.com CNAME checkip.check-ip.aws.a2z.com A 54.251.128.174 A 52.221.143.66 A 52.221.73.62 A 52.76.219.124 A 52.74.201.26 A 18.138.132.100	52.221.143.66
clientservices.googleapis.com	A 142.250.207.67	142.250.198.3
www.hao123.com	CNAME hao123.n.shifen.com A 103.235.46.98	103.235.46.98
hmcdn.baidu.com	A 222.216.122.48 A 111.170.23.48 A 113.105.172.48 A 111.177.8.48 CNAME webb.jomodns.com A 58.222.20.48 A 113.219.161.48 A 116.163.33.48 CNAME hmcdn.baidu.com.a.jomodns.com A 125.74.110.48 A 123.244.94.48 A 119.167.229.48	124.239.243.48
eclick.baidu.com	A 111.206.208.190 A 110.242.68.137 CNAME eclick.e.shifen.com	111.206.208.190
kde.qq.com	CNAME ins-km9aeh7f.ias.tencent-cloud.net A 129.226.103.169 A 43.154.240.245	129.226.103.169
i.news.qq.com	CNAME i.news.qq.com.eo.dnse2.com A 43.159.81.59	38.60.181.105
topnews.imtt.qq.com	CNAME ins-98ywcj4n.ias.tencent-cloud.net A 101.32.212.153	101.32.212.153
quickstart.imtt.qq.com	A 129.226.107.79 A 129.226.103.233 CNAME ins-6x08osmh.ias.tencent-cloud.net	129.226.103.233
3924a2b0e8a2c4ef0b5b941a5d29f50f.rdt.tfogc.com	A 183.214.52.49	183.214.52.49
430df5a0d910a183ce55ba9aa34a065f.rdt.tfogc.com	A 111.4.66.17	111.4.66.17
data.bilibili.com	A 164.52.0.99 CNAME data.bilicdn2.com A 164.52.0.98	164.52.0.98
trpcpb.imtt.qq.com	CNAME ins-claygsi5.ias.tencent-cloud.net A 129.226.107.205 A 43.129.115.243	129.226.107.205
ltscsy.qq.com	A 116.162.51.251 A 115.54.23.204 A 111.6.1.189 A 120.226.192.12 A 175.6.233.245 CNAME ltscsy.qq.com.chuangcdn.com A 111.48.205.140 CNAME sz-mrvod2-all.gtm.s.csyrtcs.com A 116.162.208.149 A 106.46.24.177 A 111.48.108.173 A 119.36.116.248	116.162.208.149
pcbrowser.dd.qq.com	CNAME pcbrowser.legodlied1.sched.dcloudstc.com A 111.3.90.95 CNAME pcbrowser.dd.tc.qq.com	111.3.90.95
iwan.video.qq.com	CNAME ins-mgs775ud.ias.tencent-cloud.net A 124.156.190.80 A 129.226.107.210	124.156.190.80
webrtcpunch.video.qq.com	CNAME ins-ephef3h4.ias.tencent-cloud.net A 119.147.179.192 A 119.147.179.227	119.147.179.227
www.hao774.com	CNAME www.hao774.com.w.alikunlun.com A 180.163.207.113 A 180.163.207.106 A 180.163.207.110 A 180.163.207.111 A 180.163.207.107 A 180.163.207.108 A 180.163.207.112 A 180.163.207.109	61.170.79.225
apd-ugcvlive.apdcdn.tc.qq.com	CNAME gslb.lmtlego.sched.apdcdn.com A 211.152.132.216	211.152.132.216
config.ab.qq.com	A 43.159.234.88 A 43.154.254.56 CNAME ins-alu6339o.ias.tencent-cloud.net	43.159.234.88
b0218760c889395ec69a3305b7ab05fa.rdt.tfogc.com	A 183.214.52.58	183.214.52.58
sofire.bdstatic.com	A 60.190.116.48 CNAME sofire.jomodns.com	60.190.116.48
s3m6.fenxi.com	A 124.225.141.10 CNAME s3m6.fenxi.com.qh-cdn.com A 113.16.211.1 A 183.131.56.3 CNAME k1.gslb.ksyuncdn.com A 113.96.142.9 A 175.6.254.74 A 58.20.136.192 CNAME s3m6.fenxi.com.download.ks-cdn.com A 42.56.77.10 A 183.61.243.2	61.170.81.233
www.sogou.com	A 119.28.109.132	119.28.109.132

IP Address	Status	Action
116.62.214.53	Active	Moloch
118.178.125.54	Active	Moloch
118.24.85.16	Active	Moloch
124.223.105.161	Active	Moloch
139.196.217.38	Active	Moloch
164.124.101.2	Active	Moloch
18.138.132.100	Active	Moloch
38.147.189.238	Active	Moloch
47.96.87.99	Active	Moloch
47.97.204.105	Active	Moloch
47.98.133.194	Active	Moloch
60.12.184.62	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49183 -> 118.24.85.16:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 124.223.105.161:8902	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 124.223.105.161:8902	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.101:49196 -> 18.138.132.100:443	2054155	ET INFO Observed External IP Lookup Domain (checkip .amazonaws .com) in TLS SNI	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49196 -> 18.138.132.100:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 18.138.132.100:443	2054155	ET INFO Observed External IP Lookup Domain (checkip .amazonaws .com) in TLS SNI	Device Retrieving External IP Address Detected
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2054140	ET INFO External IP Lookup Domain in DNS Lookup (checkip .amazonaws .com)	Device Retrieving External IP Address Detected
UDP 192.168.56.101:60411 -> 164.124.101.2:53	2052580	ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49183 118.24.85.16:443	C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1	CN=*.minibai.com	40:08:fa:f7:f6:1a:17:0c:aa:c1:99:5b:de:37:59:0c:0e:41:db:cd
TLSv1 192.168.56.101:49196 18.138.132.100:443	C=US, O=Amazon, CN=Amazon RSA 2048 M03	CN=checkip.amazonaws.com	3b:5d:c1:80:5a:4e:53:16:ce:0b:31:80:0c:26:91:07:c7:5b:0d:d0

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 4, 2024, 1:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2024, 1:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2024, 1:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2024, 1:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 4, 2024, 1:25 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 4, 2024, 1:25 p.m.			0	0

Command line console output was observed (38 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: if console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: exist C:\Windows\Temp\drsx\svchosi.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: "" C:\Windows\Temp\drsx\svchosi.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: if console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: exist C:\Windows\Temp\drsx\svchosl.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: "" C:\Windows\Temp\drsx\svchosl.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: net console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: stop xbbrowser_service console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: net console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: stop xblanupdate_svc console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: rd/s/q console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: "C:\Program Files (x86)\mxbbrowser" console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: The system cannot find the file specified. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: ping console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: -n 3 127.0.0.1 console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: nul console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: nul console_handle: 0x0000000000000007	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: if console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: exist C:\Windows\Temp\drsx\svchoxb.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: start console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: "" C:\Windows\Temp\drsx\svchoxb.exe console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: del console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: C:\Windows\Temp\drsx\hl.bat console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: The batch file cannot be found. console_handle: 0x000000000000000f	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: The service name is invalid. console_handle: 0x000000000000000b	1	1
WriteConsoleW Aug. 4, 2024, 1:25 p.m.	buffer: More help is available by typing NET HELPMSG 2185. console_handle: 0x000000000000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2024, 1:25 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (8 events)

Time & API	Arguments	Status	Return
bind Aug. 4, 2024, 1:25 p.m.	ip_address: 127.0.0.1 socket: 232 port: 0	1	0
listen Aug. 4, 2024, 1:25 p.m.	socket: 232 backlog: 1	1	0
accept Aug. 4, 2024, 1:25 p.m.	ip_address: socket: 232 port: 0	1	240
bind Aug. 4, 2024, 1:25 p.m.	ip_address: 127.0.0.1 socket: 232 port: 0	1	0
listen Aug. 4, 2024, 1:25 p.m.	socket: 232 backlog: 1	1	0
accept Aug. 4, 2024, 1:25 p.m.	ip_address: socket: 232 port: 0	1	248
bind Aug. 4, 2024, 1:25 p.m.	ip_address: 0.0.0.0 socket: 236 port: 0	1	0
bind Aug. 4, 2024, 1:25 p.m.	ip_address: 0.0.0.0 socket: 740 port: 0	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://pcupd.com/tfsoft/xftd/v2/ctf/
suspicious_features	POST method with no referer header				suspicious_request	POST https://mc.minibai.com/api/gv1/push

Performs some HTTP requests (3 events)

request	GET http://pcupd.com/tfsoft/xftd/v2/ctf/
request	POST https://mc.minibai.com/api/gv1/push
request	GET https://checkip.amazonaws.com/

Sends data using the HTTP POST Method (1 event)

request

POST https://mc.minibai.com/api/gv1/push

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (8 events)

ip	116.62.214.53
ip	118.178.125.54
ip	124.223.105.161
ip	38.147.189.238
ip	47.96.87.99
ip	47.97.204.105
ip	47.98.133.194
ip	60.12.184.62

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 4, 2024, 1:25 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Foreign language identified in PE resource (10 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106b84

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106ff0

size

0x00000076

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010706c

size

0x00000350

Looks up the external IP address (1 event)

domain

checkip.amazonaws.com

Creates executable files on the filesystem (5 events)

file	C:\Windows\Temp\drsx\hl.bat
file	C:\Windows\Temp\drsx\svchoxb.exe
file	C:\Windows\Temp\drsx\sf.dll
file	C:\Windows\Temp\drsx\svchosi.exe
file	C:\Windows\Temp\drsx\svchosl.exe

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL
cmdline	"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_IP4RouteTable
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration
wmi	SELECT * FROM Win32_PhysicalMemory

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 4, 2024, 1:26 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL filepath: C:\Windows\System32\cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00062800', u'virtual_address': u'0x00097000', u'entropy': 7.932912008549378, u'name': u'UPX1', u'virtual_size': u'0x00063000'}

entropy

7.93291200855

description

A section with a high entropy has been found

entropy

0.878483835006

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 4, 2024, 1:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 4, 2024, 1:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 4, 2024, 1:25 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 124 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
url	http://www.signatur.rtr.at/de/directory/cps.html0

Yara rule detected in process memory (50 out of 96 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	net stop xblanupdate_svc
cmdline	ping -n 3 127.0.0.1
cmdline	net stop xbbrowser_service
cmdline	C:\Windows\System32\cmd.exe /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL
cmdline	"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\drsx\svchosi.exe >> NUL

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	SELECT * FROM Win32_PhysicalMemory
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: fa2dd7cb64847733f417736d51e7a775659df7fa

Communicates with host for which no DNS query was performed (6 events)

host	116.62.214.53
host	124.223.105.161
host	47.96.87.99
host	47.97.204.105
host	47.98.133.194
host	60.12.184.62

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 4, 2024, 1:26 p.m.	process_identifier: 1284 region_size: 397312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000168	1	0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 4, 2024, 1:25 p.m.	key_handle: 0x000002b4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Drops a binary and executes it (3 events)

file	C:\Windows\Temp\drsx\svchosi.exe
file	C:\Windows\Temp\drsx\svchosl.exe
file	C:\Windows\Temp\drsx\svchoxb.exe

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2728 manipulating memory of non-child process 1284
NtAllocateVirtualMemory Aug. 4, 2024, 1:26 p.m.	process_identifier: 1284 region_size: 397312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x00000168	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2728 injected into non-child 1284
WriteProcessMemory Aug. 4, 2024, 1:26 p.m.	buffer: UììÄ¥PÿÿÿjTÿÿÿPèGjNXf<ÿÿÿjtXf>ÿÿÿjdXf@ÿÿÿjlXfBÿÿÿjlXfDÿÿÿj.XfFÿÿÿjdXfHÿÿÿjlXfJÿÿÿjlXfLÿÿÿ3ÀfNÿÿÿ<ÿÿÿPèEô}u3ÀéÄÆE¤LÆE¥dÆE¦rÆE§GÆE¨eÆE©tÆEªPÆE«rÆE¬oÆEcÆE®eÆE¯dÆE°uÆE±rÆE²eÆE³AÆE´dÆEµdÆE¶rÆE·eÆE¸sÆE¹sÆEºjXfEøjXfEúE¤EüTÿÿÿPjEøPÿuôèB½Tÿÿÿu ÇTÿÿÿ ÆEèLÆEédÆEêrÆEëLÆEìoÆEíaÆEîdÆEïDÆEðlÆEñlÆEòj XfEøjXfEúEèEü\ÿÿÿPjEøPÿuôÿTÿÿÿE@$¶ÀÀu'PÿÿÿPEÿpjjÿ\ÿÿÿMPÿÿÿé ÆENÆEtÆEAÆElÆElÆEoÆEcÆEaÆEtÆEeÆEVÆEiÆErÆEtÆEuÆEaÆElÆEMÆEeÆEmÆE oÆE¡rÆE¢yÆE£jXfEøjXfEúEEüXÿÿÿPjEøPÿuôÿTÿÿÿÆEÔRÆEÕtÆEÖlÆE×IÆEØnÆEÙiÆEÚtÆEÛAÆEÜnÆEÝsÆEÞiÆEßSÆEàtÆEárÆEâiÆEãnÆEägÆEåjXfEøjXfEúEÔEü`ÿÿÿPjEøPÿuôÿTÿÿÿÆlÿÿÿRÆmÿÿÿtÆnÿÿÿlÆoÿÿÿAÆpÿÿÿnÆqÿÿÿsÆrÿÿÿiÆsÿÿÿSÆtÿÿÿtÆuÿÿÿrÆvÿÿÿiÆwÿÿÿnÆxÿÿÿgÆyÿÿÿTÆzÿÿÿoÆ{ÿÿÿUÆ\|ÿÿÿnÆ}ÿÿÿiÆ~ÿÿÿcÆÿÿÿoÆEdÆEeÆESÆEtÆErÆEiÆEnÆEgÆEjXfEøjXfEúlÿÿÿEüdÿÿÿPjEøPÿuôÿTÿÿÿÆE¼RÆE½tÆE¾lÆE¿FÆEÀrÆEÁeÆEÂeÆEÃUÆEÄnÆEÅiÆEÆcÆEÇoÆEÈdÆEÉeÆEÊSÆEËtÆEÌrÆEÍiÆEÎnÆEÏgÆEÐjXfEøjXfEúE¼EühÿÿÿPjEøPÿuôÿTÿÿÿ½Tÿÿÿt-½Xÿÿÿt$½\ÿÿÿt½`ÿÿÿt½dÿÿÿt ½hÿÿÿu3ÀëTÿÿÿPÿuèÉÂUìQ}t eüëEü@EüEü;E}EEüÆëæÉÂUìME+ÈS@Ût:Útò¶Ê¶Ã+Áë¶Â÷Ø[]ÂUìS]VWM·1ÁÆMH¿À ·ÐfùÆ·3GÐ[Æ·úH¾À ·ÐfùÆGÐ·Âfÿt f;øt¶ÈÇ+Áë÷Ø_^[]ÂUìd¡0VWÀt#@Àtx7ëÿuÿv0ètÿÿÿÀt6;÷uë3À_^]ÂFëõUìSVuWöt}MÉtv}tp¸MZf9ufF<<0PEuZ\0xÛtRD3 3ÿÆE9\|3vAIM¸ÆPQèÔþÿÿÀtEGM;\|3rãëD3$x·0D3M0Æ_^3À[]ÂUììDMV3öWy @y}äuøuü´ÿ¬¸MZf9S_<]ðø9A <;PEzfD;¹ f#Áf;Ád¸àf9D;T·D;3ÒEØÀt)ËuA;F uø·D;BÁ(;Ð\|ßL;83ÒD;THMèÁ÷ñÈ·D;¯MèÀt;·}Øó]èFø9O3ÒHv(FÔÃ÷ó¯Ã;ÈMÁÈïuÜuø}ä]ðÉ¹j@hEìMìPjEüPEjÿÿPuüuøö·L;3ÒÁMÜkÀ(D;TEØÀ~È:2Buü;Ñ\|ò·D;uøëEÜ3É3ÒMèf;ÐsTÓBüÀt2:t-eØÆ:EÜv]ØðB;3C;rïuü]ðMè·D;AÂ(Mè;È\|·uø; À©¼;¤Î3Ò+L;4MÌ0AEôUèMàEôv}ô¾ðÇEÜ0ÇEØ AEÔGøÑèjEÐ[t}ÔÈfÆf#_f;EÜtf;EØuBÇC;Ù\|äMà}ôUèÏMày}ôÇu²uø}ä]ðÒeøj@EìEìhPjEøPEjÿÿPEøuüEôÀÉ; ÎQÂ³}ôBøÑèjEÔXEà·DAÐâðf;UÜtf;UØu^eô%ÿUèÆÒ~]ôÛ]Ð]ðt 9EÐt5ÿEô9Uô\|ãUÌ3Ò}èÿ~uøuô<t B;×\|õ}ôë}øuüEà@Eà;EÔyÿÿÿQÊQÂSÿÿÿ}ä;À10QMôÒíAÆEØÀtÆëEØeðEä2uPEÄPÿVjEÄPE¼PÿVEðPE¼PjjÿVE¼PÿVMðÉÅuäeÜÀtzeàeèÀy·ÀÀ¡UèRPEjQÿë+uüÀÆuPEÄPÿVEèPjEÄPÿuðÿuäEèÀt`MàUØ UÜBUÜÁâUàÀtMðëMôuüÁéÿÿÿD;(t;4]EüjjÿuüÇnÿÐöCt h8ÿuüèùÿÿuü[_Æ^ÉÂ base_address: 0x0087f600 process_identifier: 1284 process_handle: 0x00000168	1	1	0
WriteProcessMemory Aug. 4, 2024, 1:26 p.m.	buffer: ö base_address: 0x008800d6 process_identifier: 1284 process_handle: 0x00000168	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2660 resumed a thread in remote process 2728
Process injection	Process 2660 resumed a thread in remote process 2804
Process injection	Process 2660 resumed a thread in remote process 1384
NtResumeThread Aug. 4, 2024, 1:25 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2728	1	0	0
NtResumeThread Aug. 4, 2024, 1:25 p.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2804	1	0	0
NtResumeThread Aug. 4, 2024, 1:25 p.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 1384	1	0	0

Tries to detect Sandboxie (1 event)

mutex

Sandboxie_SingleInstanceMutex_Control

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Reconyc.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
ALYac	Trojan.GenericKD.72181802
Cylance	Unsafe
VIPRE	Trojan.GenericKD.72181802
Sangfor	Trojan.Win32.Reconyc.Vq9f
BitDefender	Trojan.GenericKD.72181802
Cybereason	malicious.cf0731
Arcabit	Trojan.Generic.D44D682A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.FWHPHXK
APEX	Malicious
Avast	Win64:DropperX-gen [Drp]
Kaspersky	Trojan.Win32.Reconyc.pofo
MicroWorld-eScan	Trojan.GenericKD.72181802
Rising	Trojan.Reconyc!8.153 (CLOUD)
Emsisoft	Trojan.GenericKD.72181802 (B)
F-Secure	Trojan.TR/Reconyc.thiwi
DrWeb	Trojan.Siggen28.118
Zillya	Trojan.Fsysna.Win32.66696
TrendMicro	TROJ_GEN.R002C0XD524
McAfeeD	ti!847E71DBCD39
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.d161e13cf0731d0b
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Google	Detected
Avira	TR/Reconyc.thiwi
Antiy-AVL	Trojan/Win32.Reconyc
Kingsoft	malware.kb.b.789
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan.Win32.Reconyc.pofo
GData	Trojan.GenericKD.72181802
AhnLab-V3	Downloader/Win.Powershell.C5655683
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0XD524
Tencent	Malware.Win32.Gencirc.1409c951
Yandex	Trojan.Reconyc!3MDrTkzBlgA
MAX	malware (ai score=82)
Fortinet	W32/PossibleThreat
AVG	Win64:DropperX-gen [Drp]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)
alibabacloud	Trojan:Win/Reconyc.pofo

jf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All