Edit tour

Windows Analysis Report
https://sj.qq.com/appdetail/com.xieli.mzpdfconversion

Overview

General Information

Sample URL:	https://sj.qq.com/appdetail/com.xieli.mzpdfconversion
Analysis ID:	1667377
Infos:

Detection

Score:	2
Range:	0 - 100
Confidence:	80%

Signatures

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 5624 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 6456 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

chrome.exe (PID: 6304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\com.xieli.mzpdfconversion.svg MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 1908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5032 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4780, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1, ProcessId: 5624, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 129.226.107.102:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.9.104:443 -> 192.168.2.5:49703 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.15.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.15.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.15.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.15.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.15.94
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.15.94
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.10
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /appdetail/com.xieli.mzpdfconversion HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: sj.qq.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: sj.qq.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://127.0.0.1:
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://base.emplatform.cn:8080/#/news/privacy_policy/qq/16731
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://base.emplatform.cn:8080/#/news/privacy_policy/qq/1888
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://dt.gzduoting.com/scenead-frontend/agreement?type=1
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.365you.com/micro/agreement/show?protocol=privacyAgreement
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/1048275511_1600757018307219.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/1372900791_1600757131977200.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/1912318443_1600757163477031.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/2109761587_1600756995207366.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/262136661_1600757041392709.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/319106809_1600757005824492.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/947352198_1600757032201002.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://i.gtimg.cn/open/appstore/imgupload/202009/987938206_1600757147164474.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://imtt2.dd.qq.com/sjy.00008/sjy.00004/16891/apk/C91B46D07B219774CEBC1FE0A1E096A5.apk?fsname=com
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_52673503_1664518138/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_52681662_1526524704/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_52734084_1534818334/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_53936938_1733472506/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54142316_1741764873/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54152750_1742372226/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54171177_1739175145/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54202051_1637206071/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54228315_1742891023/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54234946_1653391217/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54241205_1667810486/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54242586_1732072179/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54259270_1740362579/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54264618_1662345616/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54265475_1744450839/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54267501_1738111498/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54305309_1742380635/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54307264_1703642793/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54330158_1744269140/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54333439_1725516211/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54354806_1725524657/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54363034_1724853865/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54379108_1713941749/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54395395_1725516896/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54396106_1741241026/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54411350_1744181441/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54418828_1726738175/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54419121_1744268576/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_icon/0/icon_54433301_1736152820/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_54265475_1_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_54265475_2_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_54265475_3_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_54265475_4_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_54265475_5_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_5848_1_1744706077/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_5848_2_1744706077/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_5848_3_1744706077/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_5848_4_1744706077/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://pp.myapp.com/ma_pic2/0/shot_5848_5_1744706077/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://privacy.szgaojingjian.com/aitool.html?n=
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/1ad05e5fa4d2868318279d9809088970/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/43cecff62bae1263dc00992cc6e2fc0b/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/44eba3e3e731517958ce78035c3c509b/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/4d13f11f329900a3184f45d07658b69f/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/628512e1ecce2b6de5d738837ac39c87/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/67853eea789421351240e45a64d2a72d/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/69dff08e7901600aedb75bf0b0725fc2/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/7e3bec0aa42e7089989440d793caf2f9/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/7fe9d46896eefeea1c41db24e6ba628d/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/8ec89ac6a8a402ddee1024884f7de889/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/96a16de00574c18f56980c374019c16f/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/be6605d23d2c459eec275ce6481c0484/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/c923fe4849ce6ac1620b0b2c47e679be/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/cd07e20e0688d2b86a1ed1a5eeeec7dd/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://shp.qpic.cn/gft/123/f60eed9e73bc03bc833a174807b11394/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: http://www.tencent.com/zh-cn/statement.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://app.open.qq.com/p/connect-us
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/%E8%BD%AC%E8%BD%AC%E5%A4%A7%E5%B8%88pro/id6445943822
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/gooh%E6%97%85%E8%AE%B0-%E6%97%85%E6%B8%B8%E8%A1%8C%E7%A8%8B%E8%A7%84%E
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/id1253914505
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/id1629864383
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/id1631498311
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/id1633359278
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://apps.apple.com/cn/app/id6449963912
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://careers.tencent.com/
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=09f925af31769d2cfa564af4eca65e0e
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=2ab4af6e1e21c48aceb49c01618495cc
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=3239202269344b6280a1566d40036dd9
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=5cec3b497bb669dec1b144f87a08b21f
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=7385a4becdaa6e2b2161d5c0e99c1d8a
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=bbd5d9fd3e5a0940d50f99d519c85677
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=e58e272301000a0d8ae75e831f08f22e
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://chat.deepseek.com/downloads/DeepSeek%20%E9%9A%90%E7%A7%81%E6%94%BF%E7%AD%96.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/ARq8ofsW.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/Kq9c8JGZ.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/Lux83BB5.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/RIYoJ7eW.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/Y1Mj2SO4.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/oLB1K6oC.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/prx0vUhF.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/vVnP1SOy.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://cms.myapp.com/wupload/xy/yybgame/zvcKtRhj.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://d3g.qq.com/qzone/privavyAgreement20200825.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://game.qq.com/privacy_guide.shtml
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://game.qq.com/tencent_other_privacy.shtml
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://gongyi.qq.com/
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://h5.daotudashi.com/wap_pay/privacy/individual/zh/privacy.html?soft_name=
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://h5.nnxieli.com/app/nnxieli/privacy.html?soft_name=
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://h5.nnxieli.com/app/nnxieli/privacy.html?soft_name=Styler
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://h5.nnxieli.com/app/nnxieli/privacy.php?soft_name=
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://haixingchuangxiang.com/apps/zczj/privacy/privacy_hx.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.weibo.cn/u/2434411070?uid=2434411070&t=0&luicode=10000011&lfid=100103type%3D1%
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=52673503
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=52681662
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=52734084
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=54202051
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=54234946
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=54241205
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=54264618
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=54307264
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://m.yyb.qq.com/new-game/booking-detail/?appid=54379108
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1653383047502551353_68859.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1653383050956186719_69907.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015409012191539_70645.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015438697465049_67944.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015459353947992_8240.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015562013409075_53528.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015573359412709_70882.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015581885607696_86175.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015590345127999_26588.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1662015600551358637_63836.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1713940725756430631_44292.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1713940763750964501_36995.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735900510565840184_57672.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735900514051667423_52139.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735900517453175092_86132.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735900520952952576_49800.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735900524099815152_17683.jpg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735903252305695086_44875.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735903255825128790_58628.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://open-experiment-material-1258344701.file.myqcloud.com/img/1735903259055053264_1939.png
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://ovact.yyb.qq.com/magic-act/eLMkwqG7U5KFqD4ap3zJfHR7aB/index_index.html?page=index
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pdftoword.55.la/html/privacy/zzds.html
Source: wget.exe, 00000003.00000003.1319891978.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_10553459_1737010938/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_206678_1743084185/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_53933588_1737009651/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_53936938_1733472506/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54142316_1741764873/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54152750_1742372226/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54156958_1743660486/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54171177_1739175145/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54184588_1743647842/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54228315_1742891023/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54242586_1732072179/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54259270_1740362579/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54265475_1744450839/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54267501_1738111498/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54305309_1742380635/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54330158_1744269140/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54330344_1744707774/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54333439_1725516211/256
Source: wget.exe, 00000003.00000003.1319891978.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54335182_1744793784/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54354806_1725524657/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54363034_1724853865/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54395395_1725516896/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54396106_1741241026/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54399769_1739324268/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54411350_1744181441/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54418333_1743559422/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54418828_1726738175/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54419121_1744268576/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54433301_1736152820/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_icon/0/icon_54449159_1744870081/256
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_pic2/0/shot_54265475_1_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_pic2/0/shot_54265475_2_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_pic2/0/shot_54265475_3_1744450836/0
Source: wget.exe, 00000003.00000003.1320220935.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1320151742.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.1320789608.0000000002B03000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_pic2/0/shot_54265475_4_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://pp.myapp.com/ma_pic2/0/shot_54265475_5_1744450836/0
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://privacy.qq.com/document/preview/41461bd464274ce0b5e34181785f5c13
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://rule.tencent.com/rule/41950247-a569-44f5-8112-5163b0d5a58b
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/appdetail/com.example.yinleme.imgzh
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/appdetail/com.foxit.mobile.pdf.edit
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/appdetail/com.hudun.androidpdfchanger
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/appdetail/com.lgq.struggle.pdf.editer
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/appdetail/com.scannerpdf.ns.master
Source: com.xieli.mzpdfconversion.3.dr, cmdline.out.1.dr	String found in binary or memory: https://sj.qq.com/appdetail/com.xieli.mzpdfconversion
Source: wget.exe, 00000003.00000002.1320630156.0000000000DD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sj.qq.com/appdetail/com.xieli.mzpdfconversionOC
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://sj.qq.com/appdetail/jzfd.tppdfzhv.kbdwry
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://space.bilibili.com/473656532?spm_id_from=333.337.0.0
Source: wget.exe, 00000003.00000003.1320220935.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1320151742.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.1320789608.0000000002B03000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com
Source: wget.exe, 00000003.00000003.1320220935.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1320151742.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.1320789608.0000000002B03000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.sj.qq.com/_next/static/chu
Source: wget.exe, 00000003.00000003.1320220935.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1320151742.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.1320789608.0000000002B03000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.sj.qq.com/_next/static/chunks/main-fb91761123cbcf54.js
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/bilibili-logo.svg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/game_detail_yyb_qrcode.png?imageMogr2/format/webp
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/kuaishou-logo.svg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/weibo-logo.svg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/weixin-logo.svg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/yyb-account.jpg?imageMogr2/thumbnail/248x/format/webp
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/yyb-icon-with-background.svg
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://static.sj.qq.com/img/yyb-logo.svg
Source: wget.exe, 00000003.00000003.1319891978.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://terms.alicdn.com/legal-agreement/terms/privacy_policy_full/20231011201849846/202310112018498
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://thirdwx.qlogo.cn/mmopen/vi_32/DYAIOgq83eqicUp2CIGHrOJtl76KrtSMvQjHC16RrrLPl90ov5nibXbwHvxgcw
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://thirdwx.qlogo.cn/mmopen/vi_32/PiajxSqBRaEL3CJ0icFe87eElXxlryj31icWnvGQyRvlHmjk5lIYnBqedb628u
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://thirdwx.qlogo.cn/mmopen/vi_32/wXBRnlwuk4vSGrgT7ibm6mLgQrN7zItbmLLZbQMQe1ts809vgjUN4EuKI5bezL
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.cqmiaoa.com/gooh/privacy_policy.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.doubao.com/legal/privacy
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.kuaishou.com/profile/3xqhfgbn5s7ymhe
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.qicaijingshi.com/privacy.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.qq.com/contract.shtml
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.tencent.com/en-us/index.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.tencent.com/zh-cn/index.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.tencent.com/zh-cn/partnership.html
Source: com.xieli.mzpdfconversion.3.dr	String found in binary or memory: https://www.yifanads.com/app/apkanaly/privacy_zh.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 129.226.107.102:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.9.104:443 -> 192.168.2.5:49703 version: TLS 1.2

Source: classification engine

Classification label: clean2.win@25/2@3/4

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\com.xieli.mzpdfconversion.svg
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5032 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5032 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: wget.exe, 00000003.00000002.1320459143.0000000000A58000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1

Source: C:\Windows\SysWOW64\wget.exe

Queries volume information: C:\Users\user\Desktop\download VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://sj.qq.com/appdetail/com.xieli.mzpdfconversion	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label
https://careers.tencent.com/	0%	Avira URL Cloud	safe
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=bbd5d9fd3e5a0940d50f99d519c85677	0%	Avira URL Cloud	safe
http://imtt2.dd.qq.com/sjy.00008/sjy.00004/16891/apk/C91B46D07B219774CEBC1FE0A1E096A5.apk?fsname=com	0%	Avira URL Cloud	safe
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=2ab4af6e1e21c48aceb49c01618495cc	0%	Avira URL Cloud	safe
http://dt.gzduoting.com/scenead-frontend/agreement?type=1	0%	Avira URL Cloud	safe
http://privacy.szgaojingjian.com/aitool.html?n=	0%	Avira URL Cloud	safe
https://rule.tencent.com/rule/41950247-a569-44f5-8112-5163b0d5a58b	0%	Avira URL Cloud	safe
https://pdftoword.55.la/html/privacy/zzds.html	0%	Avira URL Cloud	safe
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=09f925af31769d2cfa564af4eca65e0e	0%	Avira URL Cloud	safe
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=7385a4becdaa6e2b2161d5c0e99c1d8a	0%	Avira URL Cloud	safe
https://app.open.qq.com/p/connect-us	0%	Avira URL Cloud	safe
http://base.emplatform.cn:8080/#/news/privacy_policy/qq/16731	0%	Avira URL Cloud	safe
https://h5.nnxieli.com/app/nnxieli/privacy.html?soft_name=	0%	Avira URL Cloud	safe
https://ovact.yyb.qq.com/magic-act/eLMkwqG7U5KFqD4ap3zJfHR7aB/index_index.html?page=index	0%	Avira URL Cloud	safe
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=e58e272301000a0d8ae75e831f08f22e	0%	Avira URL Cloud	safe
https://h5.daotudashi.com/wap_pay/privacy/individual/zh/privacy.html?soft_name=	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
ins-przegge7.ias.tencent-cloud.net	129.226.107.102	true	false	unknown
www.google.com	142.250.9.104	true	false	high
sj.qq.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://sj.qq.com/appdetail/com.xieli.mzpdfconversion	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://static.sj.qq.com/img/bilibili-logo.svg	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54395395_1725516896/256	com.xieli.mzpdfconversion.3.dr	false		high
http://shp.qpic.cn/gft/123/96a16de00574c18f56980c374019c16f/0	com.xieli.mzpdfconversion.3.dr	false		high
https://static.sj.qq.com/img/game_detail_yyb_qrcode.png?imageMogr2/format/webp	com.xieli.mzpdfconversion.3.dr	false		high
http://imtt2.dd.qq.com/sjy.00008/sjy.00004/16891/apk/C91B46D07B219774CEBC1FE0A1E096A5.apk?fsname=com	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://m.yyb.qq.com/new-game/booking-detail/?appid=54379108	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_5848_3_1744706077/0	com.xieli.mzpdfconversion.3.dr	false		high
https://cms.myapp.com/wupload/xy/yybgame/vVnP1SOy.jpg	com.xieli.mzpdfconversion.3.dr	false		high
https://rule.tencent.com/rule/41950247-a569-44f5-8112-5163b0d5a58b	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://www.tencent.com/zh-cn/index.html	com.xieli.mzpdfconversion.3.dr	false		high
http://i.gtimg.cn/open/appstore/imgupload/202009/262136661_1600757041392709.jpg	com.xieli.mzpdfconversion.3.dr	false		high
http://i.gtimg.cn/open/appstore/imgupload/202009/319106809_1600757005824492.jpg	com.xieli.mzpdfconversion.3.dr	false		high
https://m.yyb.qq.com/new-game/booking-detail/?appid=52681662	com.xieli.mzpdfconversion.3.dr	false		high
https://static.sj.qq.com/_next/static/chunks/main-fb91761123cbcf54.js	wget.exe, 00000003.00000003.1320220935.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1320151742.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.1320789608.0000000002B03000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.sj.qq.com/img/weixin-logo.svg	com.xieli.mzpdfconversion.3.dr	false		high
https://m.yyb.qq.com/new-game/booking-detail/?appid=54234946	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54411350_1744181441/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_pic2/0/shot_54265475_2_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54142316_1741764873/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54363034_1724853865/256	com.xieli.mzpdfconversion.3.dr	false		high
https://cms.myapp.com/wupload/xy/yybgame/prx0vUhF.jpg	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_54265475_2_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
https://static.sj.qq.com/img/kuaishou-logo.svg	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54363034_1724853865/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54395395_1725516896/256	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54142316_1741764873/256	com.xieli.mzpdfconversion.3.dr	false		high
https://sj.qq.com/appdetail/com.example.yinleme.imgzh	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54399769_1739324268/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54228315_1742891023/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54433301_1736152820/256	com.xieli.mzpdfconversion.3.dr	false		high
https://sj.qq.com/appdetail/com.lgq.struggle.pdf.editer	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54234946_1653391217/256	com.xieli.mzpdfconversion.3.dr	false		high
https://m.yyb.qq.com/new-game/booking-detail/?appid=54202051	com.xieli.mzpdfconversion.3.dr	false		high
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=bbd5d9fd3e5a0940d50f99d519c85677	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://pp.myapp.com/ma_icon/0/icon_54449159_1744870081/256	com.xieli.mzpdfconversion.3.dr	false		high
https://careers.tencent.com/	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://www.tencent.com/zh-cn/partnership.html	com.xieli.mzpdfconversion.3.dr	false		high
https://m.yyb.qq.com/new-game/booking-detail/?appid=52673503	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54305309_1742380635/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pdftoword.55.la/html/privacy/zzds.html	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
http://pp.myapp.com/ma_icon/0/icon_54354806_1725524657/256	com.xieli.mzpdfconversion.3.dr	false		high
https://terms.alicdn.com/legal-agreement/terms/privacy_policy_full/20231011201849846/202310112018498	wget.exe, 00000003.00000003.1319891978.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	false		high
https://sj.qq.com/appdetail/com.scannerpdf.ns.master	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54418828_1726738175/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54171177_1739175145/256	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54307264_1703642793/256	com.xieli.mzpdfconversion.3.dr	false		high
http://shp.qpic.cn/gft/123/67853eea789421351240e45a64d2a72d/0	com.xieli.mzpdfconversion.3.dr	false		high
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=2ab4af6e1e21c48aceb49c01618495cc	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://static.sj.qq.com	wget.exe, 00000003.00000003.1320220935.0000000002B02000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1320151742.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.1320789608.0000000002B03000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000003.1319891978.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_54265475_1_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_5848_4_1744706077/0	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54379108_1713941749/256	com.xieli.mzpdfconversion.3.dr	false		high
http://shp.qpic.cn/gft/123/4d13f11f329900a3184f45d07658b69f/0	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_pic2/0/shot_54265475_1_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_54265475_5_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
http://privacy.szgaojingjian.com/aitool.html?n=	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://cms.myapp.com/wupload/xy/yybgame/Kq9c8JGZ.png	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_52734084_1534818334/256	com.xieli.mzpdfconversion.3.dr	false		high
http://shp.qpic.cn/gft/123/7e3bec0aa42e7089989440d793caf2f9/0	com.xieli.mzpdfconversion.3.dr	false		high
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=09f925af31769d2cfa564af4eca65e0e	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=7385a4becdaa6e2b2161d5c0e99c1d8a	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://static.sj.qq.com/img/weibo-logo.svg	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_53933588_1737009651/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_pic2/0/shot_54265475_5_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
http://i.gtimg.cn/open/appstore/imgupload/202009/987938206_1600757147164474.png	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_54265475_3_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
http://shp.qpic.cn/gft/123/8ec89ac6a8a402ddee1024884f7de889/0	com.xieli.mzpdfconversion.3.dr	false		high
http://shp.qpic.cn/gft/123/7fe9d46896eefeea1c41db24e6ba628d/0	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_pic2/0/shot_54265475_3_1744450836/0	com.xieli.mzpdfconversion.3.dr	false		high
http://dt.gzduoting.com/scenead-frontend/agreement?type=1	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://app.open.qq.com/p/connect-us	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
http://pp.myapp.com/ma_icon/0/icon_54433301_1736152820/256	com.xieli.mzpdfconversion.3.dr	false		high
https://h5.daotudashi.com/wap_pay/privacy/individual/zh/privacy.html?soft_name=	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:	com.xieli.mzpdfconversion.3.dr	false		high
http://base.emplatform.cn:8080/#/news/privacy_policy/qq/16731	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
http://pp.myapp.com/ma_icon/0/icon_54171177_1739175145/256	com.xieli.mzpdfconversion.3.dr	false		high
https://ovact.yyb.qq.com/magic-act/eLMkwqG7U5KFqD4ap3zJfHR7aB/index_index.html?page=index	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
https://sj.qq.com/	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_52673503_1664518138/256	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54241205_1667810486/256	com.xieli.mzpdfconversion.3.dr	false		high
https://thirdwx.qlogo.cn/mmopen/vi_32/DYAIOgq83eqicUp2CIGHrOJtl76KrtSMvQjHC16RrrLPl90ov5nibXbwHvxgcw	com.xieli.mzpdfconversion.3.dr	false		high
https://cms.myapp.com/wupload/xy/yybgame/oLB1K6oC.png	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54305309_1742380635/256	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_54419121_1744268576/256	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54418828_1726738175/256	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_icon/0/icon_53936938_1733472506/256	com.xieli.mzpdfconversion.3.dr	false		high
https://sj.qq.com/appdetail/jzfd.tppdfzhv.kbdwry	com.xieli.mzpdfconversion.3.dr	false		high
https://pp.myapp.com/ma_icon/0/icon_54265475_1744450839/256	com.xieli.mzpdfconversion.3.dr	false		high
https://www.doubao.com/legal/privacy	com.xieli.mzpdfconversion.3.dr	false		high
http://pp.myapp.com/ma_pic2/0/shot_5848_2_1744706077/0	com.xieli.mzpdfconversion.3.dr	false		high
https://m.weibo.cn/u/2434411070?uid=2434411070&t=0&luicode=10000011&lfid=100103type%3D1%	com.xieli.mzpdfconversion.3.dr	false		high
http://i.gtimg.cn/open/appstore/imgupload/202009/2109761587_1600756995207366.jpg	com.xieli.mzpdfconversion.3.dr	false		high
https://m.yyb.qq.com/new-game/booking-detail/?appid=54264618	com.xieli.mzpdfconversion.3.dr	false		high
https://game.qq.com/tencent_other_privacy.shtml	com.xieli.mzpdfconversion.3.dr	false		high
https://cftweb.3g.qq.com/privacy/privacyPolicy?content_id=e58e272301000a0d8ae75e831f08f22e	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
http://i.gtimg.cn/open/appstore/imgupload/202009/1048275511_1600757018307219.jpg	com.xieli.mzpdfconversion.3.dr	false		high
https://m.yyb.qq.com/new-game/booking-detail/?appid=54241205	com.xieli.mzpdfconversion.3.dr	false		high
https://h5.nnxieli.com/app/nnxieli/privacy.html?soft_name=	com.xieli.mzpdfconversion.3.dr	false	Avira URL Cloud: safe	unknown
http://pp.myapp.com/ma_icon/0/icon_54330158_1744269140/256	com.xieli.mzpdfconversion.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.9.104	www.google.com	United States		15169	GOOGLEUS	false
129.226.107.102	ins-przegge7.ias.tencent-cloud.net	Singapore		132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false

Private

IP
192.168.2.23
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1667377
Start date and time:	2025-04-17 12:05:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://sj.qq.com/appdetail/com.xieli.mzpdfconversion
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.win@25/2@3/4

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.213.193, 199.232.214.172, 172.253.124.102, 172.253.124.101, 172.253.124.138, 172.253.124.139, 172.253.124.113, 172.253.124.100, 108.177.122.94, 173.194.219.84, 108.177.122.102, 108.177.122.138, 108.177.122.100, 108.177.122.139, 108.177.122.101, 108.177.122.113, 142.250.9.100, 142.250.9.139, 142.250.9.113, 142.250.9.102, 142.250.9.101, 142.250.9.138, 74.125.138.100, 74.125.138.102, 74.125.138.113, 74.125.138.138, 74.125.138.139, 74.125.138.101, 173.194.219.102, 173.194.219.101, 173.194.219.138, 173.194.219.113, 173.194.219.100, 173.194.219.139, 64.233.185.101, 64.233.185.139, 64.233.185.102, 64.233.185.138, 64.233.185.100, 64.233.185.113, 172.253.124.94, 172.217.215.94, 74.125.136.102, 74.125.136.100, 74.125.136.113, 74.125.136.139, 74.125.136.138, 74.125.136.101, 20.12.23.50, 150.171.28.254
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://sj.qq.com/appdetail/com.xieli.mzpdfconversion

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1116
Entropy (8bit):	4.105129495180761
Encrypted:	false
SSDEEP:	12:HmF2RJSNuF1T1De5RhKLd1DbV3JRbKex6zUDiRY6h1/IKLFQuCiV3JRbKPv:GTNuDxePgR1NPbLG7qBQPbWv
MD5:	C73948C3264305DD1E07956151CCB6BF
SHA1:	4D8AEB1D5BBCD1E9381D192B2BD587A0CAA16DA2
SHA-256:	EE1624E95D572DFE38DFC3698753ED9323DD30E7156FC369BD0C5533EA308C5A
SHA-512:	47399DC74B076C5F06DDD01DFF7FE6B2103EA95982ECE0DDD0061648FB2142F64BDDA8A6708967ECEBB1A34CE1BBBCD1E2951D50CA982DC9AB802ED244C6F2C7
Malicious:	false
Reputation:	low
Preview:	--2025-04-17 06:05:52-- https://sj.qq.com/appdetail/com.xieli.mzpdfconversion..Resolving sj.qq.com (sj.qq.com)... 129.226.107.102, 129.226.106.5..Connecting to sj.qq.com (sj.qq.com)\|129.226.107.102\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 364352 (356K) [text/html]..Saving to: 'C:/Users/user/Desktop/download/com.xieli.mzpdfconversion'.... 0K .......... .......... .......... .......... .......... 14% 77.9K 4s.. 50K .......... .......... .......... .......... .......... 28% 85.5K 3s.. 100K .......... .......... .......... .......... .......... 42% 545K 2s.. 150K .......... .......... .......... .......... .......... 56% 1.38M 1s.. 200K .......... .......... .......... .......... .......... 70% 2.20M 1s.. 250K .......... .......... .......... .......... .......... 84% 1.93M 0s.. 300K .......... .......... .......... .......... .......... 98% 2.18M 0s.. 350K ..... 100% 1.57M=1.4s....202

C:\Users\user\Desktop\download\com.xieli.mzpdfconversion

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (34932)
Category:	dropped
Size (bytes):	364352
Entropy (8bit):	6.341096478910028
Encrypted:	false
SSDEEP:	6144:hAC7UB8dRuXGewJ+3jzuXGewJ+3jYZyEutLE:B7U3ZyEutLE
MD5:	667EC7776576A1C9308319B9B62C33A8
SHA1:	D85E9EA002A0A062EC9851D17FA321F4116B0A42
SHA-256:	B7B5C3ADC03FEC8F7BFB5411B2E9E00F48B705B0D38F67D40E7F8435629CA6E8
SHA-512:	ED813968BE12DDC7D89B9853B515AF7D4C1F8EB7AEFE9FEC90C7AAAC18D0274CA13A10801769556B152D085094DFE3AFFD7FD05A7AF7CFB94031C2B2C813CC6B
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html lang="zh"><head><script id="initial" data-next-head="">. if (false) {. document.documentElement.classList && document.documentElement.classList.add('themeGrey');. }.. var date = new Date();. var currentDate = [date.getFullYear(), date.getMonth() + 1, date.getDate()].join('');.. if (window.localStorage && window.localStorage.getItem('YYB_SPLASH_ADS_SHOW_DATE') !== currentDate) {. document.documentElement.classList && document.documentElement.classList.add('canShowSplashAds');. }.. if (window.location.pathname === '/download' \|\| window.location.pathname === '/pcsem/download') {. document.documentElement.style.fontSize = (Math.min(window.innerWidth, 1920) / 1920 * 100).toFixed(5) + 'px';. }.. window.requestReportApi = function (pathname, query) {. var operator = window.location.search ? '&' : '?';. var url

Total Packets: 145
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2025 12:05:47.901134014 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 17, 2025 12:05:51.745269060 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:05:52.057388067 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:05:52.674596071 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:05:52.713644028 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 17, 2025 12:05:53.885504007 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:05:53.979707956 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:53.979742050 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:53.979857922 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:53.982337952 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:53.982351065 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:54.888998032 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:54.889095068 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:54.889111996 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:54.889152050 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:54.891922951 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:54.891928911 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:54.892159939 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:54.893366098 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:54.940265894 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.168102026 CEST	49692	80	192.168.2.5	142.251.15.94
Apr 17, 2025 12:05:55.274313927 CEST	80	49692	142.251.15.94	192.168.2.5
Apr 17, 2025 12:05:55.274426937 CEST	49692	80	192.168.2.5	142.251.15.94
Apr 17, 2025 12:05:55.274655104 CEST	49692	80	192.168.2.5	142.251.15.94
Apr 17, 2025 12:05:55.380748034 CEST	80	49692	142.251.15.94	192.168.2.5
Apr 17, 2025 12:05:55.381401062 CEST	80	49692	142.251.15.94	192.168.2.5
Apr 17, 2025 12:05:55.432388067 CEST	49692	80	192.168.2.5	142.251.15.94
Apr 17, 2025 12:05:55.538611889 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.538641930 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.538688898 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.538746119 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.538791895 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.538808107 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.538863897 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.836736917 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.836796045 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.836838961 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.836951017 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.836951017 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.836966038 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.837018967 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.837018013 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.837038040 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.837066889 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.837105989 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.837162971 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.837169886 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.837208986 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:55.882354975 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:55.882441998 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140330076 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140439987 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140507936 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140523911 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140544891 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140568018 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140574932 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140603065 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140651941 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140707016 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140712023 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140753984 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140767097 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140820980 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140870094 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.140925884 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.140950918 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.141000986 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.141043901 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.141104937 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.141144991 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.141222954 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.141232014 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.141285896 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.141310930 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.141362906 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.180270910 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.180320978 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.180342913 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.180352926 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.180402040 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.299094915 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:05:56.439100981 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439203978 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439228058 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439285994 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439316034 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439371109 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439429998 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439481974 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439538002 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439593077 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439630985 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439691067 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439712048 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439760923 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439794064 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439914942 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439918041 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.439944029 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.439974070 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440022945 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440083981 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440098047 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440118074 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440140963 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440149069 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440192938 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440241098 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440306902 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440314054 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440376043 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440395117 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440401077 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440433979 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440471888 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440526962 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440532923 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440568924 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440572977 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440593958 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440623999 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440701962 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440761089 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440768957 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440808058 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.440819025 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.440871954 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.441034079 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.441091061 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.441123009 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.441178083 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.441240072 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.441292048 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.441414118 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.441463947 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.441525936 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.441584110 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.441663980 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.441715956 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.478552103 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.478615999 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.478766918 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.478777885 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.478811979 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.520391941 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.520459890 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.520477057 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.520523071 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.722436905 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.736866951 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.736943960 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737266064 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737319946 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737323046 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737341881 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737376928 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737401009 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737440109 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737453938 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737493992 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737525940 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737581968 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737687111 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737734079 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737765074 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737823009 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.737879992 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.737930059 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738029957 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738070011 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738198996 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738239050 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738318920 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738363028 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738444090 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738492012 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738616943 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738676071 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738678932 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738697052 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738723993 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738751888 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.738908052 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.738960028 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739041090 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739084005 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739214897 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739272118 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739388943 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739442110 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739502907 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739556074 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739624023 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739675999 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739737034 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739788055 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739854097 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.739907026 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.739986897 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740039110 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740137100 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740200996 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740250111 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740314960 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740425110 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740466118 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740530968 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740583897 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740709066 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740761995 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740830898 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740886927 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.740915060 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.740967989 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741027117 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741075993 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741211891 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741261959 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741322994 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741372108 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741421938 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741477013 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741730928 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741781950 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741818905 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741873026 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.741925955 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.741971970 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.742049932 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742100000 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.742230892 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742284060 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.742333889 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742389917 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.742446899 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742494106 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.742533922 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742579937 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.742588043 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742690086 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:05:56.742743015 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.851989985 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.983552933 CEST	49689	443	192.168.2.5	129.226.107.102
Apr 17, 2025 12:05:56.983582973 CEST	443	49689	129.226.107.102	192.168.2.5
Apr 17, 2025 12:06:01.104279995 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:06:02.354969025 CEST	49672	443	192.168.2.5	204.79.197.203
Apr 17, 2025 12:06:04.136617899 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:04.136672974 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:04.136751890 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:04.137012005 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:04.137031078 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:04.365616083 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:04.365714073 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:04.367831945 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:04.367845058 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:04.368916035 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:04.416908026 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:10.714191914 CEST	49676	443	192.168.2.5	20.189.173.14
Apr 17, 2025 12:06:10.911773920 CEST	49675	443	192.168.2.5	2.23.227.208
Apr 17, 2025 12:06:10.911793947 CEST	443	49675	2.23.227.208	192.168.2.5
Apr 17, 2025 12:06:10.911925077 CEST	49675	443	192.168.2.5	2.23.227.208
Apr 17, 2025 12:06:10.911947012 CEST	443	49675	2.23.227.208	192.168.2.5
Apr 17, 2025 12:06:14.374557972 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:14.374615908 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:14.374809980 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:14.575994968 CEST	49703	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:06:14.576045990 CEST	443	49703	142.250.9.104	192.168.2.5
Apr 17, 2025 12:06:55.542794943 CEST	49692	80	192.168.2.5	142.251.15.94
Apr 17, 2025 12:06:55.649792910 CEST	80	49692	142.251.15.94	192.168.2.5
Apr 17, 2025 12:06:55.649908066 CEST	49692	80	192.168.2.5	142.251.15.94
Apr 17, 2025 12:07:04.091836929 CEST	49712	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:07:04.091880083 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:04.091972113 CEST	49712	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:07:04.092128992 CEST	49712	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:07:04.092143059 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:04.308573961 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:04.309011936 CEST	49712	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:07:04.309047937 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:14.322246075 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:14.322302103 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:14.322350025 CEST	49712	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:07:14.644810915 CEST	49712	443	192.168.2.5	142.250.9.104
Apr 17, 2025 12:07:14.644901991 CEST	443	49712	142.250.9.104	192.168.2.5
Apr 17, 2025 12:07:28.104706049 CEST	49682	443	192.168.2.5	150.171.27.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2025 12:05:53.357722998 CEST	61212	53	192.168.2.5	1.1.1.1
Apr 17, 2025 12:05:53.973455906 CEST	53	61212	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:01.077496052 CEST	53	54356	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:01.356178045 CEST	53	55943	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:02.036941051 CEST	53	58670	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:02.221658945 CEST	53	52974	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:04.028256893 CEST	65474	53	192.168.2.5	1.1.1.1
Apr 17, 2025 12:06:04.028505087 CEST	56140	53	192.168.2.5	1.1.1.1
Apr 17, 2025 12:06:04.134753942 CEST	53	56140	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:04.134779930 CEST	53	65474	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:19.877382994 CEST	53	52721	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:38.606389999 CEST	53	65326	1.1.1.1	192.168.2.5
Apr 17, 2025 12:06:55.018943071 CEST	138	138	192.168.2.5	192.168.2.255
Apr 17, 2025 12:06:59.938322067 CEST	53	63720	1.1.1.1	192.168.2.5
Apr 17, 2025 12:07:00.910953999 CEST	53	63047	1.1.1.1	192.168.2.5
Apr 17, 2025 12:07:02.463742018 CEST	53	59505	1.1.1.1	192.168.2.5
Apr 17, 2025 12:07:31.066131115 CEST	53	49748	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2025 12:05:53.357722998 CEST	192.168.2.5	1.1.1.1	0x299a	Standard query (0)	sj.qq.com	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.028256893 CEST	192.168.2.5	1.1.1.1	0x9bb9	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.028505087 CEST	192.168.2.5	1.1.1.1	0xbde9	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2025 12:05:53.973455906 CEST	1.1.1.1	192.168.2.5	0x299a	No error (0)	sj.qq.com	ins-przegge7.ias.tencent-cloud.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2025 12:05:53.973455906 CEST	1.1.1.1	192.168.2.5	0x299a	No error (0)	ins-przegge7.ias.tencent-cloud.net		129.226.107.102	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:05:53.973455906 CEST	1.1.1.1	192.168.2.5	0x299a	No error (0)	ins-przegge7.ias.tencent-cloud.net		129.226.106.5	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.134753942 CEST	1.1.1.1	192.168.2.5	0xbde9	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 17, 2025 12:06:04.134779930 CEST	1.1.1.1	192.168.2.5	0x9bb9	No error (0)	www.google.com		142.250.9.104	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.134779930 CEST	1.1.1.1	192.168.2.5	0x9bb9	No error (0)	www.google.com		142.250.9.99	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.134779930 CEST	1.1.1.1	192.168.2.5	0x9bb9	No error (0)	www.google.com		142.250.9.147	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.134779930 CEST	1.1.1.1	192.168.2.5	0x9bb9	No error (0)	www.google.com		142.250.9.105	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.134779930 CEST	1.1.1.1	192.168.2.5	0x9bb9	No error (0)	www.google.com		142.250.9.103	A (IP address)	IN (0x0001)	false
Apr 17, 2025 12:06:04.134779930 CEST	1.1.1.1	192.168.2.5	0x9bb9	No error (0)	www.google.com		142.250.9.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sj.qq.com

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.5	49692	142.251.15.94	80

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2025 12:05:55.274655104 CEST	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Apr 17, 2025 12:05:55.381401062 CEST	1243	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="cacerts" Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]} Content-Length: 530 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 17 Apr 2025 09:48:16 GMT Expires: Thu, 17 Apr 2025 10:38:16 GMT Cache-Control: public, max-age=3000 Age: 1059 Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT Content-Type: application/pkix-crl Vary: Accept-Encoding Data Raw: 30 82 02 0e 30 82 01 93 02 01 01 30 0a 06 08 2a 86 48 ce 3d 04 03 03 30 47 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 22 30 20 06 03 55 04 0a 13 19 47 6f 6f 67 6c 65 20 54 72 75 73 74 20 53 65 72 76 69 63 65 73 20 4c 4c 43 31 14 30 12 06 03 55 04 03 13 0b 47 54 53 20 52 6f 6f 74 20 52 34 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 17 0d 32 36 30 32 32 38 30 37 35 39 35 39 5a 30 81 e9 30 2f 02 10 6e 47 a9 ce 4f 46 c2 3d e2 49 ea cc 38 94 53 73 17 0d 31 39 30 39 33 30 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 f0 9c 5b 70 05 a6 dc 86 e2 f9 9e f3 17 0d 32 30 30 31 33 31 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 01 fe a5 81 44 7e 3b fd 3b b8 1c 24 98 17 0d 32 33 30 36 31 33 30 30 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 16 68 25 e1 70 04 40 61 24 91 f5 40 17 0d 32 35 30 34 30 33 30 38 30 30 30 30 5a 30 0c 30 0a 06 03 55 1d 15 04 03 0a 01 05 30 2c 02 0d 02 00 8e b2 58 e7 b5 94 0c 1f f9 00 44 17 0d 32 35 30 [TRUNCATED] Data Ascii: 000H=0G10UUS1"0 UGoogle Trust Services LLC10UGTS Root R4250403080000Z260228075959Z00/nGOF=I8Ss190930000000Z00U0,[p200131000000Z00U0,D~;;$230613000000Z00U0,h%p@a$@250403080000Z00U0,XD250403080000Z00U/0-0U0U#0LtI6>j0H=i0f1>2en:IN@g=;bQZ~`NX1?^4y[$\4{;$zDeU6O

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49689	129.226.107.102	443	6456	C:\Windows\SysWOW64\wget.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-17 10:05:54 UTC	220	OUT	GET /appdetail/com.xieli.mzpdfconversion HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: sj.qq.com Connection: Keep-Alive
2025-04-17 10:05:55 UTC	542	IN	HTTP/1.1 200 OK Date: Thu, 17 Apr 2025 10:05:55 GMT Content-Type: text/html; charset=utf-8 Content-Length: 364352 Connection: close Set-Cookie: tgw_l7_route=8bbcc25606a6bfb59af78f978bcf71d8; Expires=Thu, 17-Apr-2025 10:35:55 GMT; Path=/; sameSite=None; Secure Vary: Accept-Encoding, User-Agent Cache-Control: public, max-age=60 X-Content-Type-Options: nosniff Set-Cookie: YYB_HOME_UUID=09553057-6860-4784-b97d-838e364a4a57; Max-Age=2207520000; Path=/ X-Powered-By: Next.js ETag: "1007q674ua972v4" Set-Cookie: is_gray=0; Path=/
2025-04-17 10:05:55 UTC	2426	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 69 64 3d 22 69 6e 69 74 69 61 6c 22 20 64 61 74 61 2d 6e 65 78 74 2d 68 65 61 64 3d 22 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 66 61 6c 73 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4c 69 73 74 20 26 26 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 27 74 68 65 6d 65 47 72 65 79 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 64 61 74 65 20 3d 20 6e 65 77 20 44 61 74 65 28 29 Data Ascii: <!DOCTYPE html><html lang="zh"><head><script id="initial" data-next-head=""> if (false) { document.documentElement.classList && document.documentElement.classList.add('themeGrey'); } var date = new Date()
2025-04-17 10:05:55 UTC	4096	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 2f 2f 20 76 61 72 20 76 61 6c 75 65 20 3d 20 74 79 70 65 6f 66 20 65 76 65 6e 74 56 61 6c 75 65 20 3d 3d 3d 20 27 75 6e 64 65 66 69 6e 65 64 27 20 3f 20 64 75 72 61 74 69 6f 6e 20 3a 20 65 76 65 6e 74 56 61 6c 75 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 2f 20 77 69 6e 64 6f 77 2e 72 65 71 75 65 73 74 52 65 70 6f 72 74 41 70 69 28 27 2f 61 70 69 2f 62 65 61 63 6f 6e 52 65 70 6f 72 74 27 2c 20 27 26 65 76 65 6e 74 4e 61 6d 65 3d 27 20 2b 20 65 76 65 6e 74 4e 61 6d 65 20 2b 20 27 26 65 76 65 6e 74 56 61 6c 75 65 3d 27 20 2b 20 76 61 6c 75 65 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3b 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 73 75 70 70 6f 72 74 54 69 6d 69 6e 67 52 65 70 6f 72 74 20 Data Ascii: // var value = typeof eventValue === 'undefined' ? duration : eventValue; // window.requestReportApi('/api/beaconReport', '&eventName=' + eventName + '&eventValue=' + value); }; window.supportTimingReport
2025-04-17 10:05:55 UTC	4096	IN	Data Raw: e5 9b be e7 89 87 e8 bd ac e6 8d a2 e3 80 81 e8 bd ac e6 96 87 e5 ad 97 e7 ad 89 e7 ad 89 ef bc 81 e8 bd af e4 bb b6 e4 b8 bb e8 a6 81 e5 8a 9f e8 83 bd ef bc 9a 31 2e 50 44 46 e8 bd ac e5 85 b6 e4 bb 96 ef bc 9a 50 44 46 e8 bd ac 57 6f 72 64 e3 80 81 e5 9b be e7 89 87 e3 80 81 50 50 54 e3 80 81 45 78 63 65 6c e3 80 81 48 54 4d 4c e5 92 8c 54 58 54 e6 a0 bc e5 bc 8f e7 ad 89 e6 a0 bc e5 bc 8f ef bc 8c e6 96 b9 e4 be bf e7 bc 96 e8 be 91 32 2e e5 85 b6 e4 bb 96 e8 bd ac 50 44 46 ef bc 9a 57 6f 72 64 e3 80 81 45 78 63 65 6c e3 80 81 50 50 54 e5 92 8c 4a 50 47 e5 9b be e7 89 87 e7 ad 89 e6 a0 bc e5 bc 8f e8 bd ac 50 44 46 33 2e 50 44 46 e7 bc 96 e8 be 91 e5 b7 a5 e5 85 b7 2e 2e 2e 22 20 64 61 74 61 2d 6e 65 78 74 2d 68 65 61 64 3d 22 22 2f 3e 3c 6d 65 74 61 Data Ascii: 1.PDFPDFWordPPTExcelHTMLTXT2.PDFWordExcelPPTJPGPDF3.PDF..." data-next-head=""/><meta
2025-04-17 10:05:55 UTC	3040	IN	Data Raw: 26 26 20 64 61 74 61 2e 6c 6f 67 73 2e 6d 73 67 2e 69 6e 64 65 78 4f 66 28 70 61 74 68 29 20 3e 20 2d 31 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 20 64 61 74 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 65 66 6f 72 65 52 65 70 6f 72 74 3a 20 66 75 6e 63 74 69 6f 6e 28 6c 6f 67 29 20 7b 0a 20 20 20 20 20 20 20 20 Data Ascii: && data.logs.msg.indexOf(path) > -1; }) ) { return false; } return data; }, beforeReport: function(log) {
2025-04-17 10:05:55 UTC	2808	IN	Data Raw: 6e 6b 73 2f 70 61 67 65 73 2f 5f 61 70 70 2d 36 32 66 31 37 35 36 63 63 61 39 66 35 65 33 33 2e 6a 73 22 20 64 65 66 65 72 3d 22 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 73 6a 2e 71 71 2e 63 6f 6d 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f 63 68 75 6e 6b 73 2f 32 36 38 36 2d 65 35 64 33 61 35 38 64 31 39 30 61 36 37 65 65 2e 6a 73 22 20 64 65 66 65 72 3d 22 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 73 6a 2e 71 71 2e 63 6f 6d 2f 5f 6e 65 78 74 2f 73 74 61 74 69 63 2f Data Ascii: nks/pages/_app-62f1756cca9f5e33.js" defer="" crossorigin="anonymous"></script><script src="https://static.sj.qq.com/_next/static/chunks/2686-e5d3a58d190a67ee.js" defer="" crossorigin="anonymous"></script><script src="https://static.sj.qq.com/_next/static/
2025-04-17 10:05:55 UTC	4096	IN	Data Raw: 67 68 74 3a 30 2e 30 30 30 30 30 76 77 3b 7d 2e 73 70 61 63 65 42 65 74 77 65 65 6e 2e 6a 73 78 2d 31 31 39 32 33 32 34 37 32 3a 6c 61 73 74 2d 63 68 69 6c 64 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 38 30 30 70 78 29 7b 2e 73 70 61 63 65 42 65 74 77 65 65 6e 2e 6a 73 78 2d 31 31 39 32 33 32 34 37 32 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 70 78 3b 7d 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 32 30 30 70 78 29 7b 2e 73 70 61 63 65 42 65 74 77 65 65 6e 2e 6a 73 78 2d 31 31 39 32 33 32 34 37 32 7b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 70 78 3b 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 20 69 64 3d 22 5f 5f 6a 73 78 2d 32 32 30 30 31 32 39 38 34 32 22 3e Data Ascii: ght:0.00000vw;}.spaceBetween.jsx-119232472:last-child{padding-right:0;}@media (min-width:800px){.spaceBetween.jsx-119232472{padding-right:0px;}}@media (min-width:1200px){.spaceBetween.jsx-119232472{padding-right:0px;}}</style><style id="__jsx-2200129842">
2025-04-17 10:05:55 UTC	1520	IN	Data Raw: 62 65 6c 22 20 64 74 2d 70 61 72 61 6d 73 3d 22 63 69 64 3d 26 61 6d 70 3b 63 74 79 70 65 3d 26 61 6d 70 3b 74 72 61 63 65 5f 69 64 3d 38 64 31 61 34 31 39 37 2d 31 62 37 33 2d 31 31 66 30 2d 62 30 62 39 2d 35 32 35 34 30 30 34 62 62 62 32 31 26 61 6d 70 3b 73 6c 6f 74 3d 31 26 61 6d 70 3b 73 63 72 65 65 6e 6f 72 64 65 72 3d 31 26 61 6d 70 3b 72 69 64 3d 26 61 6d 70 3b 61 70 70 69 64 3d 35 34 32 36 35 34 37 35 26 61 6d 70 3b 70 6b 67 6e 61 6d 65 3d 63 6f 6d 2e 78 69 65 6c 69 2e 6d 7a 70 64 66 63 6f 6e 76 65 72 73 69 6f 6e 26 61 6d 70 3b 61 70 70 6e 61 6d 65 3d 25 45 38 25 42 46 25 38 35 25 45 36 25 38 44 25 42 37 50 44 46 25 45 37 25 42 43 25 39 36 25 45 38 25 42 45 25 39 31 25 45 35 25 39 39 25 41 38 26 61 6d 70 3b 69 73 63 6c 6f 75 64 67 61 6d 65 3d 30 Data Ascii: bel" dt-params="cid=&ctype=&trace_id=8d1a4197-1b73-11f0-b0b9-5254004bbb21&slot=1&screenorder=1&rid=&appid=54265475&pkgname=com.xieli.mzpdfconversion&appname=%E8%BF%85%E6%8D%B7PDF%E7%BC%96%E8%BE%91%E5%99%A8&iscloudgame=0
2025-04-17 10:05:55 UTC	1404	IN	Data Raw: 35 34 37 35 26 61 6d 70 3b 70 6b 67 6e 61 6d 65 3d 63 6f 6d 2e 78 69 65 6c 69 2e 6d 7a 70 64 66 63 6f 6e 76 65 72 73 69 6f 6e 26 61 6d 70 3b 61 70 70 6e 61 6d 65 3d 25 45 38 25 42 46 25 38 35 25 45 36 25 38 44 25 42 37 50 44 46 25 45 37 25 42 43 25 39 36 25 45 38 25 42 45 25 39 31 25 45 35 25 39 39 25 41 38 26 61 6d 70 3b 69 73 63 6c 6f 75 64 67 61 6d 65 3d 30 26 61 6d 70 3b 79 79 62 5f 61 70 70 5f 74 79 70 65 3d 73 6f 66 74 77 61 72 65 26 61 6d 70 3b 70 63 79 79 62 5f 72 65 61 64 79 3d 31 26 61 6d 70 3b 69 73 5f 67 61 6d 65 3d 30 26 61 6d 70 3b 63 61 72 64 69 64 3d 79 79 62 6e 5f 67 61 6d 65 5f 62 61 73 69 63 5f 69 6e 66 6f 26 61 6d 70 3b 72 65 6c 5f 65 78 70 5f 69 64 73 3d 22 3e 3c 69 20 63 6c 61 73 73 3d 22 50 43 59 59 42 44 6f 77 6e 6c 6f 61 64 42 75 Data Ascii: 5475&pkgname=com.xieli.mzpdfconversion&appname=%E8%BF%85%E6%8D%B7PDF%E7%BC%96%E8%BE%91%E5%99%A8&iscloudgame=0&yyb_app_type=software&pcyyb_ready=1&is_game=0&cardid=yybn_game_basic_info&rel_exp_ids="><i class="PCYYBDownloadBu
2025-04-17 10:05:55 UTC	2692	IN	Data Raw: e7 a7 81 3c 2f 70 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 48 69 67 68 50 65 72 66 6f 72 6d 61 6e 63 65 42 72 61 6e 64 49 6d 61 67 65 5f 61 63 63 65 6c 65 72 61 74 69 6f 6e 47 72 61 70 68 5f 5f 58 70 68 39 69 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 48 69 67 68 50 65 72 66 6f 72 6d 61 6e 63 65 42 72 61 6e 64 49 6d 61 67 65 5f 69 6e 74 65 6c 49 63 6f 6e 5f 5f 4f 6b 63 75 46 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 48 69 67 68 50 65 72 66 6f 72 6d 61 6e 63 65 42 72 61 6e 64 49 6d 61 67 65 5f 67 72 69 64 49 74 65 6d 5f 5f 37 57 41 66 79 20 48 69 67 68 50 65 72 66 6f 72 6d 61 6e 63 65 42 72 61 6e 64 49 6d 61 67 65 5f 64 69 73 70 6c 61 79 5f 5f 4c 41 6c 64 58 20 48 69 67 68 50 65 72 66 6f 72 6d 61 6e 63 65 Data Ascii: </p><div class="HighPerformanceBrandImage_accelerationGraph__Xph9i"><div class="HighPerformanceBrandImage_intelIcon__OkcuF"></div></div></div><div class="HighPerformanceBrandImage_gridItem__7WAfy HighPerformanceBrandImage_display__LAldX HighPerformance
2025-04-17 10:05:55 UTC	4096	IN	Data Raw: 76 20 63 6c 61 73 73 3d 22 47 61 6d 65 44 65 74 61 69 6c 5f 6d 6f 62 69 6c 65 47 61 6d 65 43 61 72 64 56 69 65 77 5f 5f 5f 6c 55 59 5a 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 47 61 6d 65 43 61 72 64 5f 67 61 6d 65 43 61 72 64 5f 5f 53 4c 45 49 75 20 47 61 6d 65 43 61 72 64 5f 47 41 4d 45 5f 44 45 54 41 49 4c 5f 5f 48 4b 6c 71 66 20 47 61 6d 65 43 61 72 64 5f 73 68 6f 77 53 65 6c 65 63 74 5f 5f 67 72 32 61 4d 22 20 64 74 2d 65 69 64 3d 22 67 61 6d 65 5f 63 61 72 64 22 20 64 74 2d 70 61 72 61 6d 73 3d 22 63 69 64 3d 26 61 6d 70 3b 63 74 79 70 65 3d 26 61 6d 70 3b 74 72 61 63 65 5f 69 64 3d 38 64 31 61 34 31 39 37 2d 31 62 37 33 2d 31 31 66 30 2d 62 30 62 39 2d 35 32 35 34 30 30 34 62 62 62 32 31 26 61 6d 70 3b 73 6c 6f 74 3d 31 26 61 6d 70 3b 73 63 72 65 Data Ascii: v class="GameDetail_mobileGameCardView___lUYZ"><div class="GameCard_gameCard__SLEIu GameCard_GAME_DETAIL__HKlqf GameCard_showSelect__gr2aM" dt-eid="game_card" dt-params="cid=&ctype=&trace_id=8d1a4197-1b73-11f0-b0b9-5254004bbb21&slot=1&scre

Statistics

CPU Usage

• cmd.exe
• conhost.exe
• wget.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• wget.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	1
Start time:	06:05:51
Start date:	17/04/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion" > cmdline.out 2>&1
Imagebase:	0x220000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:05:51
Start date:	17/04/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7e2000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:05:52
Start date:	17/04/2025
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://sj.qq.com/appdetail/com.xieli.mzpdfconversion"
Imagebase:	0x400000
File size:	3'895'184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:05:56
Start date:	17/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\download\com.xieli.mzpdfconversion.svg
Imagebase:	0x7ff674ef0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:05:57
Start date:	17/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3
Imagebase:	0x7ff674ef0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:06:02
Start date:	17/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,5890468377871130087,14425876592810880288,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5032 /prefetch:8
Imagebase:	0x7ff674ef0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://sj.qq.com/appdetail/com.xieli.mzpdfconversion

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\com.xieli.mzpdfconversion

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 5624, Parent PID: 4780

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Windows Analysis Report
https://sj.qq.com/appdetail/com.xieli.mzpdfconversion