Edit tour

Windows Analysis Report
1Tkf1dTh5K.dll

Overview

General Information

Sample name:	1Tkf1dTh5K.dll renamed because original name is a hash value
Original sample name:	3f93e2b9e4f395d06b6dd096368c3408.dll
Analysis ID:	1447639
MD5:	3f93e2b9e4f395d06b6dd096368c3408
SHA1:	30ff267a7f126da5d880ac41fad5c6ebe0bcaf37
SHA256:	3454fcc1cd07d8d82c49ce44e3eee266df4894d66f833be14cb16904eaf5b1c5
Tags:	dllRaccoonStealer
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Detected VMProtect packer

Machine Learning detection for sample

Overwrites code with function prologues

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential time zone aware malware

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4428 cmdline: loaddll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4320 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6608 cmdline: rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3356 cmdline: rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5600 cmdline: rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",main MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171

Source: rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://&managingpasswords_s=data=/login/t.php&type=getime2
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.
Source: loaddll32.exe, 00000000.00000003.2187385658.0000000001556000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3272171936.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3271439966.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784311494.0000000001557000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162472970.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/6
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/?
Source: rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/?K
Source: rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/C
Source: rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/J
Source: rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/Re
Source: rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/h
Source: rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/hK3j
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000967000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php
Source: rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php/
Source: rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php/h
Source: rundll32.exe, 00000006.00000002.2463460659.0000000004F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php;
Source: rundll32.exe, 00000006.00000002.2463460659.0000000004F10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.phpK
Source: loaddll32.exe, 00000000.00000002.3272027625.00000000014BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.phpi
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/jizhi2_m.phpm
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2224227280.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162415500.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462798834.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462918405.0000000000970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php&x
Source: rundll32.exe, 00000004.00000003.2082336174.000000000333D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php&x-
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php1c%
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php4g
Source: rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php;A-
Source: rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.php=
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpDe)
Source: rundll32.exe, 00000006.00000003.2188587059.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpJ
Source: rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpRM
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpTMT
Source: rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpc
Source: rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpd
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpfa(
Source: rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162415500.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpj
Source: loaddll32.exe, 00000000.00000003.3271632988.000000000154D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.0000000001550000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3272152572.000000000154E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3271439966.000000000154D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268383072.000000000154A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/t.phpx
Source: rundll32.exe, 00000006.00000003.2192719848.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/ver_m.php
Source: rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/ver_m.php:
Source: rundll32.exe, 00000003.00000003.2089845513.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/ver_m.phpO
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/login/ver_m.phpZ
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/s
Source: rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162472970.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171/x
Source: rundll32.exe, 00000006.00000003.2188743743.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2193010264.0000000000938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171:80/login/t.php
Source: rundll32.exe, 00000006.00000003.2269266886.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2224227280.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462918405.0000000000970000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.171:80/login/t.php_m.phpcd56ec472546541c80af5d1615d7
Source: rundll32.exe, 00000006.00000003.2269266886.0000000000962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.0000000000962000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.110.247.17x
Source: rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt
Source: rundll32.exe, 00000003.00000002.2386174372.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2360525561.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2464996552.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, 1Tkf1dTh5K.dll	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.super-ec.cn

System Summary

Detected VMProtect packer

Source: 1Tkf1dTh5K.dll

Static PE information: .vmp0 and .vmp1 section names

Source: 1Tkf1dTh5K.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal96.evad.winDLL@10/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main

Source: 1Tkf1dTh5K.dll	ReversingLabs: Detection: 44%
Source: 1Tkf1dTh5K.dll	Virustotal: Detection: 52%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: 1Tkf1dTh5K.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 1Tkf1dTh5K.dll

Static file information: File size 8716288 > 1048576

Source: 1Tkf1dTh5K.dll

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x80b000

Source:	Binary string: rundll32.pdb source: rundll32.exe, 00000003.00000002.2385100185.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.0000000000806000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2086404376.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082294461.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192671725.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188379761.0000000004F21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000003.00000002.2385100185.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.0000000000806000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2086404376.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082294461.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192671725.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188379761.0000000004F21000.00000004.00000020.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: 1Tkf1dTh5K.dll	Static PE information: section name: .vmp0
Source: 1Tkf1dTh5K.dll	Static PE information: section name: .vmp1

Hooking and other Techniques for Hiding and Protection

Overwrites code with function prologues

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 76EBBA30 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75A74D90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75A8EBF0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75E58A90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75E80230 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 76EBBA30 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75A74D90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75A8EBF0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75E58A90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75E80230 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 76EBBA30 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75A74D90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75A8EBF0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75E58A90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75E80230 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 76EBBA30 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75A74D90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75A8EBF0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75E58A90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75E80230 value: 8B FF 55 8B EC	Jump to behavior

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: FE0005 value: E9 2B BA ED 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 76EBBA30 value: E9 DA 45 12 8A	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: FF0008 value: E9 8B 8E F1 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 76F08E90 value: E9 80 71 0E 8A	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 1450005 value: E9 8B 4D 62 74	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75A74D90 value: E9 7A B2 9D 8B	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 1470005 value: E9 EB EB 61 74	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75A8EBF0 value: E9 1A 14 9E 8B	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 1480005 value: E9 8B 8A 9D 74	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75E58A90 value: E9 7A 75 62 8B	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 1490005 value: E9 2B 02 9F 74	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 75E80230 value: E9 DA FD 60 8B	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 14A0005 value: E9 8B 2F A5 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 4428 base: 76EF2F90 value: E9 7A D0 5A 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 540005 value: E9 2B BA 97 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 76EBBA30 value: E9 DA 45 68 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 550008 value: E9 8B 8E 9B 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 76F08E90 value: E9 80 71 64 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 700005 value: E9 8B 4D 37 75	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75A74D90 value: E9 7A B2 C8 8A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: AE0005 value: E9 EB EB FA 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75A8EBF0 value: E9 1A 14 05 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 3FE0005 value: E9 8B 8A E7 71	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75E58A90 value: E9 7A 75 18 8E	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 3FF0005 value: E9 2B 02 E9 71	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 75E80230 value: E9 DA FD 16 8E	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 4000005 value: E9 8B 2F EF 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3356 base: 76EF2F90 value: E9 7A D0 10 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 3390005 value: E9 2B BA B2 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 76EBBA30 value: E9 DA 45 4D 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 33A0008 value: E9 8B 8E B6 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 76F08E90 value: E9 80 71 49 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 4D40005 value: E9 8B 4D D3 70	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75A74D90 value: E9 7A B2 2C 8F	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 4D60005 value: E9 EB EB D2 70	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75A8EBF0 value: E9 1A 14 2D 8F	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 4D70005 value: E9 8B 8A 0E 71	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75E58A90 value: E9 7A 75 F1 8E	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 4D80005 value: E9 2B 02 10 71	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 75E80230 value: E9 DA FD EF 8E	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 4D90005 value: E9 8B 2F 16 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6608 base: 76EF2F90 value: E9 7A D0 E9 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: AE0005 value: E9 2B BA 3D 76	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 76EBBA30 value: E9 DA 45 C2 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 2B90008 value: E9 8B 8E 37 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 76F08E90 value: E9 80 71 C8 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 2BA0005 value: E9 8B 4D ED 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75A74D90 value: E9 7A B2 12 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 2BD0005 value: E9 EB EB EB 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75A8EBF0 value: E9 1A 14 14 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 2BE0005 value: E9 8B 8A 27 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75E58A90 value: E9 7A 75 D8 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 2BF0005 value: E9 2B 02 29 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 75E80230 value: E9 DA FD D6 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 43B0005 value: E9 8B 2F B4 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5600 base: 76EF2F90 value: E9 7A D0 4B 8D	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rundll32.exe, 00000003.00000002.2385398369.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359665579.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463928728.000000001029E000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: BSBIEDLL.DLL}
Source: rundll32.exe, 00000003.00000002.2385398369.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359665579.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463928728.000000001029E000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: BSBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10F620C9 second address: 10F620DB instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 inc cl 0x00000005 xor bl, cl 0x00000007 btc ax, bx 0x0000000b adc edx, 4D427E8Fh 0x00000011 push ebp 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10EEA988 second address: 107F4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD834C0C3EFh 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10EEA988 second address: 107F4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8341C476Fh 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10E2A970 second address: 10E2A982 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10E566B3 second address: 10E566BA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 mov ebp, esi 0x00000005 mov bl, cl 0x00000007 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 10F620C9 second address: 10F620DB instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 inc cl 0x00000005 xor bl, cl 0x00000007 btc ax, bx 0x0000000b adc edx, 4D427E8Fh 0x00000011 push ebp 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 10EEA988 second address: 107F4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8341C476Fh 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 10E2A970 second address: 10E2A982 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 10E566B3 second address: 10E566BA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 mov ebp, esi 0x00000005 mov bl, cl 0x00000007 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 104BA999 second address: 104BA9AB instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 107048C3 second address: 10764125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD835361B64h 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 107048C3 second address: 10764125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD834919EE4h 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10775347 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, ax 0x00000005 sub esi, 00000008h 0x0000000b mov dword ptr [esi], edx 0x0000000d test esi, esp 0x0000000f cmove ecx, ecx 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 lea ebp, dword ptr [ebp-00000004h] 0x0000001b cmp edx, 303645EAh 0x00000021 setno ch 0x00000024 mov ecx, dword ptr [ebp+00h] 0x00000028 xor ecx, ebx 0x0000002a jmp 00007FD83520AD5Fh 0x0000002f dec ecx 0x00000030 test bp, ax 0x00000033 cmp esi, edi 0x00000035 neg ecx 0x00000037 sub ecx, 35BD5015h 0x0000003d jmp 00007FD835257943h 0x00000042 bswap ecx 0x00000044 inc ecx 0x00000045 cmp esp, 285E65A0h 0x0000004b stc 0x0000004c xor ecx, 0DBA1880h 0x00000052 xor ebx, ecx 0x00000054 add edi, ecx 0x00000056 jmp 00007FD83510E371h 0x0000005b jmp 00007FD8352FD384h 0x00000060 lea edx, dword ptr [esp+60h] 0x00000064 clc 0x00000065 cmc 0x00000066 cmp edi, edi 0x00000068 cmp esi, edx 0x0000006a jmp 00007FD83555BEE2h 0x0000006f ja 00007FD83527C090h 0x00000075 jmp edi 0x00000077 mov ecx, dword ptr [esi] 0x00000079 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 10775347 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, ax 0x00000005 sub esi, 00000008h 0x0000000b mov dword ptr [esi], edx 0x0000000d test esi, esp 0x0000000f cmove ecx, ecx 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 lea ebp, dword ptr [ebp-00000004h] 0x0000001b cmp edx, 303645EAh 0x00000021 setno ch 0x00000024 mov ecx, dword ptr [ebp+00h] 0x00000028 xor ecx, ebx 0x0000002a jmp 00007FD8347C30DFh 0x0000002f dec ecx 0x00000030 test bp, ax 0x00000033 cmp esi, edi 0x00000035 neg ecx 0x00000037 sub ecx, 35BD5015h 0x0000003d jmp 00007FD83480FCC3h 0x00000042 bswap ecx 0x00000044 inc ecx 0x00000045 cmp esp, 285E65A0h 0x0000004b stc 0x0000004c xor ecx, 0DBA1880h 0x00000052 xor ebx, ecx 0x00000054 add edi, ecx 0x00000056 jmp 00007FD8346C66F1h 0x0000005b jmp 00007FD8348B5704h 0x00000060 lea edx, dword ptr [esp+60h] 0x00000064 clc 0x00000065 cmc 0x00000066 cmp edi, edi 0x00000068 cmp esi, edx 0x0000006a jmp 00007FD834B14262h 0x0000006f ja 00007FD834834410h 0x00000075 jmp edi 0x00000077 mov ecx, dword ptr [esi] 0x00000079 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 106FFBA9 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 xor cx, bp 0x00000005 sub esi, 00000008h 0x0000000b or ecx, edx 0x0000000d shl ch, cl 0x0000000f mov dword ptr [esi], edx 0x00000011 setns ch 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 and cx, 4E9Ch 0x0000001c dec ecx 0x0000001d lea ebp, dword ptr [ebp-00000004h] 0x00000023 not cx 0x00000026 mov ecx, dword ptr [ebp+00h] 0x0000002a xor ecx, ebx 0x0000002c jmp 00007FD83520C84Bh 0x00000031 dec ecx 0x00000032 cmp ecx, ebx 0x00000034 neg ecx 0x00000036 cmp al, 0Dh 0x00000038 sub ecx, 35BD5015h 0x0000003e jmp 00007FD8352AFB46h 0x00000043 bswap ecx 0x00000045 jmp 00007FD835345928h 0x0000004a inc ecx 0x0000004b cmc 0x0000004c xor ecx, 0DBA1880h 0x00000052 test edi, 5E2C497Ch 0x00000058 xor ebx, ecx 0x0000005a cmp si, di 0x0000005d jmp 00007FD8352EAEC3h 0x00000062 add edi, ecx 0x00000064 jmp 00007FD8351F90F9h 0x00000069 jmp 00007FD835201EDCh 0x0000006e lea edx, dword ptr [esp+60h] 0x00000072 clc 0x00000073 cmc 0x00000074 cmp edi, edi 0x00000076 cmp esi, edx 0x00000078 jmp 00007FD83555BEE2h 0x0000007d ja 00007FD83527C090h 0x00000083 jmp edi 0x00000085 mov ecx, dword ptr [esi] 0x00000087 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 106FFBA9 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 xor cx, bp 0x00000005 sub esi, 00000008h 0x0000000b or ecx, edx 0x0000000d shl ch, cl 0x0000000f mov dword ptr [esi], edx 0x00000011 setns ch 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 and cx, 4E9Ch 0x0000001c dec ecx 0x0000001d lea ebp, dword ptr [ebp-00000004h] 0x00000023 not cx 0x00000026 mov ecx, dword ptr [ebp+00h] 0x0000002a xor ecx, ebx 0x0000002c jmp 00007FD8347C4BCBh 0x00000031 dec ecx 0x00000032 cmp ecx, ebx 0x00000034 neg ecx 0x00000036 cmp al, 0Dh 0x00000038 sub ecx, 35BD5015h 0x0000003e jmp 00007FD834867EC6h 0x00000043 bswap ecx 0x00000045 jmp 00007FD8348FDCA8h 0x0000004a inc ecx 0x0000004b cmc 0x0000004c xor ecx, 0DBA1880h 0x00000052 test edi, 5E2C497Ch 0x00000058 xor ebx, ecx 0x0000005a cmp si, di 0x0000005d jmp 00007FD8348A3243h 0x00000062 add edi, ecx 0x00000064 jmp 00007FD8347B1479h 0x00000069 jmp 00007FD8347BA25Ch 0x0000006e lea edx, dword ptr [esp+60h] 0x00000072 clc 0x00000073 cmc 0x00000074 cmp edi, edi 0x00000076 cmp esi, edx 0x00000078 jmp 00007FD834B14262h 0x0000007d ja 00007FD834834410h 0x00000083 jmp edi 0x00000085 mov ecx, dword ptr [esi] 0x00000087 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 104BA999 second address: 104BA9AB instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 107048C3 second address: 10764125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD834919EE4h 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 10775347 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, ax 0x00000005 sub esi, 00000008h 0x0000000b mov dword ptr [esi], edx 0x0000000d test esi, esp 0x0000000f cmove ecx, ecx 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 lea ebp, dword ptr [ebp-00000004h] 0x0000001b cmp edx, 303645EAh 0x00000021 setno ch 0x00000024 mov ecx, dword ptr [ebp+00h] 0x00000028 xor ecx, ebx 0x0000002a jmp 00007FD83520AD5Fh 0x0000002f dec ecx 0x00000030 test bp, ax 0x00000033 cmp esi, edi 0x00000035 neg ecx 0x00000037 sub ecx, 35BD5015h 0x0000003d jmp 00007FD835257943h 0x00000042 bswap ecx 0x00000044 inc ecx 0x00000045 cmp esp, 285E65A0h 0x0000004b stc 0x0000004c xor ecx, 0DBA1880h 0x00000052 xor ebx, ecx 0x00000054 add edi, ecx 0x00000056 jmp 00007FD83510E371h 0x0000005b jmp 00007FD8352FD384h 0x00000060 lea edx, dword ptr [esp+60h] 0x00000064 clc 0x00000065 cmc 0x00000066 cmp edi, edi 0x00000068 cmp esi, edx 0x0000006a jmp 00007FD83555BEE2h 0x0000006f ja 00007FD83527C090h 0x00000075 jmp edi 0x00000077 mov ecx, dword ptr [esi] 0x00000079 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 106FFBA9 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 xor cx, bp 0x00000005 sub esi, 00000008h 0x0000000b or ecx, edx 0x0000000d shl ch, cl 0x0000000f mov dword ptr [esi], edx 0x00000011 setns ch 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 and cx, 4E9Ch 0x0000001c dec ecx 0x0000001d lea ebp, dword ptr [ebp-00000004h] 0x00000023 not cx 0x00000026 mov ecx, dword ptr [ebp+00h] 0x0000002a xor ecx, ebx 0x0000002c jmp 00007FD8347C4BCBh 0x00000031 dec ecx 0x00000032 cmp ecx, ebx 0x00000034 neg ecx 0x00000036 cmp al, 0Dh 0x00000038 sub ecx, 35BD5015h 0x0000003e jmp 00007FD834867EC6h 0x00000043 bswap ecx 0x00000045 jmp 00007FD8348FDCA8h 0x0000004a inc ecx 0x0000004b cmc 0x0000004c xor ecx, 0DBA1880h 0x00000052 test edi, 5E2C497Ch 0x00000058 xor ebx, ecx 0x0000005a cmp si, di 0x0000005d jmp 00007FD8348A3243h 0x00000062 add edi, ecx 0x00000064 jmp 00007FD8347B1479h 0x00000069 jmp 00007FD8347BA25Ch 0x0000006e lea edx, dword ptr [esp+60h] 0x00000072 clc 0x00000073 cmc 0x00000074 cmp edi, edi 0x00000076 cmp esi, edx 0x00000078 jmp 00007FD834B14262h 0x0000007d ja 00007FD834834410h 0x00000083 jmp edi 0x00000085 mov ecx, dword ptr [esi] 0x00000087 rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe TID: 1352	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1968	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	System information queried: CurrentTimeZoneInformation	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000006.00000003.2162527962.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188743743.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2193010264.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHG
Source: rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2089845513.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^V
Source: loaddll32.exe, 00000000.00000003.3268403428.000000000157B000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784051732.000000000156D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784408684.0000000001578000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2089845513.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2384531834.000000000079E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2176613287.000000000079A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000000.00000003.2784051732.000000000156D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: loaddll32.exe, 00000000.00000003.3268383072.000000000154A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.000000000153D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`,W

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 47.110.247.171 80

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Rundll32	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1Tkf1dTh5K.dll	45%	ReversingLabs	Win32.Trojan.Ursu
1Tkf1dTh5K.dll	53%	Virustotal		Browse
1Tkf1dTh5K.dll	100%	Avira	HEUR/AGEN.1360811
1Tkf1dTh5K.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://47.110.247.171/Re	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php&x	0%	Avira URL Cloud	safe
http://47.110.247.171/login/jizhi2_m.php	0%	Avira URL Cloud	safe
http://47.110.247.171/login/jizhi2_m.php;	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php&x-	0%	Avira URL Cloud	safe
http://www.eyuyan.com)DVarFileInfo$	0%	Avira URL Cloud	safe
http://47.110.247.171/J	0%	Avira URL Cloud	safe
http://47.110.247.171/login/ver_m.phpZ	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpj	0%	Avira URL Cloud	safe
http://47.110.247.171/login/jizhi2_m.php	9%	Virustotal		Browse
http://47.110.247.171/login/jizhi2_m.php/h	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpd	0%	Avira URL Cloud	safe
http://47.110.247.171/6	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpfa(	0%	Avira URL Cloud	safe
http://47.110.247.171/login/jizhi2_m.phpi	0%	Avira URL Cloud	safe
http://47.110.247.171/login/ver_m.phpO	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpj	9%	Virustotal		Browse
http://47.110.247.171/login/t.phpd	2%	Virustotal		Browse
http://47.110.247.171/login/jizhi2_m.php/	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php;A-	0%	Avira URL Cloud	safe
http://www.super-ec.cn	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php=	0%	Avira URL Cloud	safe
http://47.110.247.171/login/jizhi2_m.phpm	0%	Avira URL Cloud	safe
http://www.super-ec.cn	0%	Virustotal		Browse
http://47.110.247.171/x	0%	Avira URL Cloud	safe
http://47.110.	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php1c%	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpx	0%	Avira URL Cloud	safe
http://47.110.247.171/?	0%	Avira URL Cloud	safe
http://47.110.247.171/C	9%	Virustotal		Browse
http://47.110.247.171/C	0%	Avira URL Cloud	safe
http://47.110.247.171/login/ver_m.php	0%	Avira URL Cloud	safe
http://47.110.	0%	Virustotal		Browse
http://47.110.247.171/login/t.phpTMT	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php4g	0%	Avira URL Cloud	safe
http://47.110.247.171/login/ver_m.php:	0%	Avira URL Cloud	safe
http://47.110.247.171/h	0%	Avira URL Cloud	safe
http://47.110.247.171:80/login/t.php_m.phpcd56ec472546541c80af5d1615d7	0%	Avira URL Cloud	safe
http://47.110.247.171/?K	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpRM	0%	Avira URL Cloud	safe
http://47.110.247.171/login/ver_m.php	8%	Virustotal		Browse
http://47.110.247.171/s	0%	Avira URL Cloud	safe
http://47.110.247.171/	0%	Avira URL Cloud	safe
http://47.110.247.171:80/login/t.php	0%	Avira URL Cloud	safe
http://47.110.247.171/login/jizhi2_m.phpK	0%	Avira URL Cloud	safe
http://47.110.247.171/hK3j	0%	Avira URL Cloud	safe
http://47.110.247.171/s	8%	Virustotal		Browse
http://47.110.247.171/	10%	Virustotal		Browse
http://47.110.247.171/login/t.phpDe)	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.phpc	0%	Avira URL Cloud	safe
http://47.110.247.171/login/t.php	0%	Avira URL Cloud	safe
http://&managingpasswords_s=data=/login/t.php&type=getime2	0%	Avira URL Cloud	safe
http://47.110.247.17x	0%	Avira URL Cloud	safe
http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt	0%	Avira URL Cloud	safe
http://47.110.247.171:80/login/t.php	10%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://47.110.247.171/login/jizhi2_m.php	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/ver_m.php	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://47.110.247.171/Re	rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/jizhi2_m.php;	rundll32.exe, 00000006.00000002.2463460659.0000000004F10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php&x-	rundll32.exe, 00000004.00000003.2082336174.000000000333D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php&x	rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com)DVarFileInfo$	rundll32.exe, 00000003.00000002.2386174372.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2360525561.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2464996552.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, 1Tkf1dTh5K.dll	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/J	rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/ver_m.phpZ	rundll32.exe, 00000004.00000003.2082336174.0000000003361000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpj	rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162415500.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/jizhi2_m.php/h	rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpd	rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/6	loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpfa(	loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/jizhi2_m.phpi	loaddll32.exe, 00000000.00000002.3272027625.00000000014BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/ver_m.phpO	rundll32.exe, 00000003.00000003.2089845513.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/jizhi2_m.php/	rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php;A-	rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.super-ec.cn	rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php=	rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/jizhi2_m.phpm	loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/x	rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162472970.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.	rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php1c%	rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpx	loaddll32.exe, 00000000.00000003.3271632988.000000000154D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.0000000001550000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3272152572.000000000154E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3271439966.000000000154D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268383072.000000000154A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/?	loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/C	rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.php4g	rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpTMT	loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/ver_m.php:	rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171:80/login/t.php_m.phpcd56ec472546541c80af5d1615d7	rundll32.exe, 00000006.00000003.2269266886.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2224227280.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462918405.0000000000970000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/h	rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/?K	rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpRM	rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpJ	rundll32.exe, 00000006.00000003.2188587059.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://47.110.247.171/s	loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/	loaddll32.exe, 00000000.00000003.2187385658.0000000001556000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3272171936.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3271439966.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784311494.0000000001557000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162472970.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171:80/login/t.php	rundll32.exe, 00000006.00000003.2188743743.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2193010264.0000000000938000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://47.110.247.171/login/jizhi2_m.phpK	rundll32.exe, 00000006.00000002.2463460659.0000000004F10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/hK3j	rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpDe)	rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.171/login/t.phpc	rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://&managingpasswords_s=data=/login/t.php&type=getime2	rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://47.110.247.17x	rundll32.exe, 00000006.00000003.2269266886.0000000000962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.0000000000962000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt	rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.110.247.171	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447639
Start date and time:	2024-05-26 08:45:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1Tkf1dTh5K.dll renamed because original name is a hash value
Original Sample Name:	3f93e2b9e4f395d06b6dd096368c3408.dll
Detection:	MAL
Classification:	mal96.evad.winDLL@10/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
47.110.247.171	uCLkYbZQoA.exe	Get hash	malicious	Unknown	Browse	47.110.247.171/login/login.php
	uCLkYbZQoA.exe	Get hash	malicious	Unknown	Browse	47.110.247.171/login/login.php
	WIxlt6C9uz.exe	Get hash	malicious	Unknown	Browse	47.110.247.171/login/login.php
	WIxlt6C9uz.exe	Get hash	malicious	Unknown	Browse	47.110.247.171/login/login.php
	SecuriteInfo.com.Win32.MalwareX-gen.16608.3922.dll	Get hash	malicious	Unknown	Browse	47.110.247.171/login/t.php
	SecuriteInfo.com.Win32.MalwareX-gen.16608.3922.dll	Get hash	malicious	Unknown	Browse	47.110.247.171/login/t.php
	XSpitaNHqG.exe	Get hash	malicious	Unknown	Browse	47.110.247.171/login/login.php
	t3CNhrFqlK.dll	Get hash	malicious	Unknown	Browse	47.110.247.171/login/t.php
	XSpitaNHqG.exe	Get hash	malicious	Unknown	Browse	47.110.247.171/login/login.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	uCLkYbZQoA.exe	Get hash	malicious	Unknown	Browse	47.110.247.171
	uCLkYbZQoA.exe	Get hash	malicious	Unknown	Browse	47.110.247.171
	BEddZjSb7A.elf	Get hash	malicious	Unknown	Browse	47.108.217.163
	hgVOQGUGqk.elf	Get hash	malicious	Unknown	Browse	8.185.61.106
	QN5PrDr5St.elf	Get hash	malicious	Unknown	Browse	106.14.214.192
	M2Vf6ASl3g.elf	Get hash	malicious	Unknown	Browse	114.215.215.188
	msjYmnMpqK.exe	Get hash	malicious	Unknown	Browse	47.104.173.216
	msjYmnMpqK.exe	Get hash	malicious	Unknown	Browse	47.104.173.216
	VWOm7n5MsV.elf	Get hash	malicious	Unknown	Browse	8.184.34.215

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.955111130703702
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1Tkf1dTh5K.dll
File size:	8'716'288 bytes
MD5:	3f93e2b9e4f395d06b6dd096368c3408
SHA1:	30ff267a7f126da5d880ac41fad5c6ebe0bcaf37
SHA256:	3454fcc1cd07d8d82c49ce44e3eee266df4894d66f833be14cb16904eaf5b1c5
SHA512:	6fea049badd562cc0ce49649262e49e56ae44d2734da74f22529127bd5913fdcd4e93c2d31921c2f97d32b312ebc6ee7f979958be850bf1ee4daca80c7fbf384
SSDEEP:	196608:0oiuS4DVO5l+62uYk5B2utCmHZVwjRJpBFozYP:ji4DIb+62ujXtVHwjvpBFoz
TLSH:	459623A392500145EC958F39913B7DB135F33F5A8EB1BC3DA4DAB9D126B70B29223943
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rf...........!.........................................................p......................................43..A..

File Icon


Icon Hash:	8f775b59399b51a3

Static PE Info

General

Entrypoint:	0x10e5ebde
Entrypoint Section:	.vmp1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x665219C1 [Sat May 25 17:02:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1620a4502dccef1905f8a7cf281e66b9

Entrypoint Preview

Instruction
push 51B95B14h
call 00007FD834F45753h
rdtsc
test bx, bx
jmp 00007FD834F516A6h
clc
xor ebx, eax
add ebp, eax
jmp 00007FD834855A09h
cmp dx, bx
add esi, eax
jmp 00007FD8350073B7h
mov eax, dword ptr [edi]
mov cx, word ptr [eax]
lea edi, dword ptr [edi+00000002h]
add eax, 032142E6h
rcl al, 00000032h
mov word ptr [edi], cx
btc ax, dx
lea esi, dword ptr [esi-00000004h]
neg eax
not al
sub al, 49h
mov eax, dword ptr [esi]
xor eax, ebx
jmp 00007FD834E8CE10h
push esi
ret
mov esp, esi
popfd
rdtsc
cdq
cwde
pop edx
pop esi
movsx ebx, si
pop eax
pop ebp
pop edi
pop ebx
mov ecx, 592A2865h
pop ecx
ret
cmc
not ecx
test si, si
add ecx, 59A933A4h
cmc
cmp esp, esi
neg ecx
cmp sp, si
xor ebx, ecx
add edi, ecx
jmp edi
hlt
mov cl, 26h
pop ebp
add eax, 1F23636Fh
fimul dword ptr [ebx+63h]
scasd
lahf
pop ebx
dec ebp
and esi, edx
out dx, eax
lea esp, dword ptr [ebx-61316864h]
xor dword ptr [ebp-6Ch], ebx
push es
insb

inc eax
mov byte ptr [ebx], ch
mov dword ptr [8D00464Fh], eax
fdiv st(3), st(0)
xor dword ptr [edi+esi], ecx
fisttp qword ptr [esi-5C9E36E0h]
pushad
pop ds
push esi
retf
bound edx, dword ptr [eax+05h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfa3334	0x41	.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf33e0c	0x1a4	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfb4000	0x42b79	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfb3000	0x5d0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x805000	0xd4	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19707a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x199000	0x7a3e1	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x214000	0x89251	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp0	0x29e000	0x50950f	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp1	0x7a8000	0x80ab90	0x80b000	8cce9014310fd43e82c249b02e0c7512	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xfb3000	0x5d0	0x1000	7081659e982a722f6b56c037e5de0481	False	0.194580078125	data	1.910537121329838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xfb4000	0x42b79	0x43000	5bd1b8cc26f193bb9068903497a61ac3	False	0.5984433302238806	data	5.773999931716925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xfb420c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0xfb44f4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0xfb461c	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.6021799272124745
RT_GROUP_ICON	0xff6644	0x14	data			1.2
RT_GROUP_ICON	0xff6658	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0xff666c	0x14	data	Chinese	China	1.25
RT_VERSION	0xff6680	0x240	data	Chinese	China	0.5642361111111112
RT_MANIFEST	0xff68c0	0x2b9	XML 1.0 document, ASCII text, with very long lines (697), with no line terminators			0.5279770444763271

Imports

DLL	Import
MSVFW32.dll	DrawDibDraw
AVIFIL32.dll	AVIStreamInfoA
WINMM.dll	midiOutPrepareHeader
WS2_32.dll	ntohl
KERNEL32.dll	GetVersion, GetVersionExA
USER32.dll	LoadStringA
GDI32.dll	GetStockObject
MSIMG32.dll	GradientFill
WINSPOOL.DRV	OpenPrinterA
comdlg32.dll	GetFileTitleA
ADVAPI32.dll	LookupPrivilegeValueA
SHELL32.dll	Shell_NotifyIconA
ole32.dll	CLSIDFromProgID
OLEAUT32.dll	SafeArrayUnaccessData
COMCTL32.dll	ImageList_Create
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetUserObjectInformationW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Exports

Name	Ordinal	Address
main	1	0x100a014f

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2024 08:46:19.530138969 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.534101963 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.534326077 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.534487963 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.535727978 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.535906076 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.536005020 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.536027908 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.540702105 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.540780067 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.540853024 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.540884018 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.545439959 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.545471907 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.545531034 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.545569897 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.545710087 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.545739889 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.545814991 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.545845032 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:19.550354958 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.550384045 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.555170059 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.555200100 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.603960991 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.604058027 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.604085922 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:19.604113102 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:20.474384069 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:20.510713100 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:20.548988104 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:20.705199957 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.127873898 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:21.205125093 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.321049929 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.321611881 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.326862097 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:21.331713915 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:21.596216917 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.596746922 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.601854086 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:21.606770992 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:21.828844070 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.828844070 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:21.833971024 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:21.838859081 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.106409073 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.113831997 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.113897085 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.118947983 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.123832941 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.195791006 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.201565027 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.201667070 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.201791048 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.201816082 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.288161039 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.288197041 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.408864975 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.412851095 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.412851095 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.417871952 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.422751904 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.652533054 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.655715942 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.655715942 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:22.661331892 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:22.666208029 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.221014977 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.408309937 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:23.478504896 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.483155966 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.548924923 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:23.595735073 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:23.690030098 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:23.690030098 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:23.695363045 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.700284004 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.712547064 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:23.767606020 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.084456921 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.084963083 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.090167046 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.142222881 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.341739893 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.341739893 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.345365047 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.345401049 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.486408949 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.491035938 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.491067886 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.491094112 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.496825933 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.705199957 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.816334009 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.822951078 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.861463070 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.877146006 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.895876884 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.908505917 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.912353039 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.913943052 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.919496059 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.924056053 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.924228907 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:24.929558992 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:24.934755087 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.095906019 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.486697912 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.486697912 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.491993904 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.496808052 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.498904943 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.498905897 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.503969908 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.508939028 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.725505114 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.728863955 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.728864908 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:25.734008074 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:25.738925934 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.003252029 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.003353119 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.224266052 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.229975939 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.230009079 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.230202913 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.230202913 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.260807037 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.260807037 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.260895014 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.260895014 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.261643887 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.287249088 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.287278891 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.307523966 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.307568073 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.312297106 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.312335014 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.312362909 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.312390089 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.312416077 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.317342043 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.372272015 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.372340918 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.378364086 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.383455992 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.383647919 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.388695002 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.439477921 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.639365911 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.674170971 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.674170971 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.680274010 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.697205067 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.697262049 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:26.727720976 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.732374907 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.732424021 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:26.751986980 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:27.059734106 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:27.190555096 CEST	80	49707	47.110.247.171	192.168.2.5
May 26, 2024 08:46:27.251965046 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:27.392606020 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:27.510983944 CEST	80	49705	47.110.247.171	192.168.2.5
May 26, 2024 08:46:27.648480892 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:27.648480892 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:27.653713942 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:27.658410072 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:27.705101013 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:28.047635078 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:28.057090998 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:28.057090998 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:28.066759109 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:28.115535975 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:28.842525959 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:28.892738104 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:29.086219072 CEST	80	49704	47.110.247.171	192.168.2.5
May 26, 2024 08:46:29.127070904 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:29.283093929 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:29.283138037 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:29.288188934 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:29.293040037 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:29.623445034 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:29.623445988 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:29.628804922 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:29.633636951 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:30.056885004 CEST	80	49706	47.110.247.171	192.168.2.5
May 26, 2024 08:46:30.127094984 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:30.228770971 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:30.283230066 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:30.636915922 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:30.689486980 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:31.100861073 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:31.142606020 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.329727888 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.333487988 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.335546017 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:32.340292931 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:32.343506098 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.343544006 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.348567963 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:32.353632927 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:32.366695881 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.366697073 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:32.371723890 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:32.376558065 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.278767109 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.302265882 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:33.302265882 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:33.327378988 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.332173109 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.332201958 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.332230091 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.359569073 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:33.359570026 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:33.359570026 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:33.359669924 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:33.364933968 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.369832039 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.402518988 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.402546883 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.757553101 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.826241970 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:33.861452103 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.060349941 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.065404892 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.065473080 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.229428053 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.229515076 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.250178099 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.250206947 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.378757954 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.486460924 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.656220913 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.656220913 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:34.661465883 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.666558981 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.697076082 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:34.767646074 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:35.208514929 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:35.208515882 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:35.213587046 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:35.218636036 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:35.615966082 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:35.798846960 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.135622025 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.135622025 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.415792942 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.415802002 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.415810108 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.419507980 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.419507980 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.436062098 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.436069965 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.817828894 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.822120905 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.822120905 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:36.827217102 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:36.881490946 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:37.384560108 CEST	80	49710	47.110.247.171	192.168.2.5
May 26, 2024 08:46:37.439577103 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:37.752377033 CEST	80	49709	47.110.247.171	192.168.2.5
May 26, 2024 08:46:37.798957109 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:51.409821033 CEST	49705	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:51.409909964 CEST	49707	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:53.975569010 CEST	49706	80	192.168.2.5	47.110.247.171
May 26, 2024 08:46:53.975720882 CEST	49704	80	192.168.2.5	47.110.247.171
May 26, 2024 08:47:01.862348080 CEST	49709	80	192.168.2.5	47.110.247.171
May 26, 2024 08:47:01.862438917 CEST	49710	80	192.168.2.5	47.110.247.171
May 26, 2024 08:47:33.754945993 CEST	49708	80	192.168.2.5	47.110.247.171
May 26, 2024 08:47:33.760611057 CEST	80	49708	47.110.247.171	192.168.2.5
May 26, 2024 08:47:33.760711908 CEST	49708	80	192.168.2.5	47.110.247.171

HTTP Request Dependency Graph

47.110.247.171

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	47.110.247.171	80	3356	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:19.536005020 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:19.536027908 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:23.483155966 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:23 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059830
May 26, 2024 08:46:24.341739893 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:24.341739893 CEST	349	OUT	Data Raw: 64 61 74 61 3d 62 33 66 66 31 61 34 31 38 35 32 32 31 36 37 65 34 36 63 35 38 39 33 33 31 61 31 31 36 34 39 66 31 38 65 62 37 62 38 65 62 30 65 39 66 65 65 66 66 34 33 34 63 63 33 63 63 64 64 64 38 62 37 62 61 35 38 32 65 36 65 35 62 37 64 33 35 Data Ascii: data=b3ff1a418522167e46c589331a11649f18eb7b8eb0e9feeff434cc3ccddd8b7ba582e6e5b7d350551fc3e7363a4f31dd810e809d85549d2d3847eeeae4c35b49df7aabf475757b5d5b661ef6c83150a36780b8691b7d5c8c12f8d1e92294b9e0029a4d99bb4c63f05954a221a7df36f4d7d01ab830e11d
May 26, 2024 08:46:24.822951078 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:24 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=iat1na01dn6hipsg9bf37ha374; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 65 34 61 64 36 33 66 61 33 61 33 64 32 39 34 34 61 32 34 62 62 31 39 65 30 30 33 65 34 34 33 38 61 35 61 65 66 36 31 61 66 39 37 62 66 31 31 62 65 63 33 35 32 35 30 39 61 35 63 37 31 65 62 66 38 64 32 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 44e4ad63fa3a3d2944a24bb19e003e4438a5aef61af97bf11bec352509a5c71ebf8d290
May 26, 2024 08:46:25.486697912 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:25.486697912 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 30 66 62 34 62 31 33 38 66 37 35 31 62 37 65 31 31 39 32 64 62 33 34 34 65 31 31 33 31 39 31 31 39 65 34 37 66 64 63 65 36 62 38 61 30 65 35 61 35 36 31 39 63 33 38 39 61 38 62 64 39 37 33 61 65 38 38 65 33 62 33 65 37 38 37 30 Data Ascii: data=b0fb4b138f751b7e1192db344e11319119e47fdce6b8a0e5a5619c389a8bd973ae88e3b3e7870b5f1bc7e4316f4e61dad10b86ccd70a9f2b6f10b9ecb3c9084edb7cfdf0212e7e5357624ba6cf3c03f03adeb53d1a73508843fdd6ea73cee9e003cc4ecaed4d63a45555f025a3d934a687dc4bbef25bfe
May 26, 2024 08:46:26.261643887 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=3kqr8k8tkrb3rjpcnp6gaa5n22; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 39 35 32 33 35 61 36 35 39 35 38 64 66 31 31 64 65 61 31 31 36 36 66 32 31 65 31 39 61 63 35 63 64 37 33 61 63 35 64 36 35 62 30 38 66 62 37 33 64 31 38 39 38 62 37 39 36 63 33 36 61 33 35 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 4095235a65958df11dea1166f21e19ac5cd73ac5d65b08fb73d1898b796c36a3510
May 26, 2024 08:46:26.287249088 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:26.287278891 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:26.639365911 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 36 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059860
May 26, 2024 08:46:27.648480892 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:27.648480892 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 37 66 65 34 62 34 31 38 34 37 32 34 39 37 64 34 30 63 31 64 38 33 34 31 61 34 62 36 33 39 37 31 65 65 62 32 61 38 65 62 35 62 38 61 62 62 39 61 35 36 33 63 62 33 39 63 39 38 66 64 39 37 66 66 31 38 33 65 31 62 32 65 30 64 34 30 Data Ascii: data=b7fe4b418472497d40c1d8341a4b63971eeb2a8eb5b8abb9a563cb39c98fd97ff183e1b2e0d407541b93b3366b1f338d815bd499d8099b2a6e44efb9b59e5d4e8f2eabf972787f5101654ef6cc6753a630d9be694f7e0d8d46ffd4b9279fb8b609ce4d98ea4e6bf35400a722a18e30a88f8a1cb0e62117
May 26, 2024 08:46:29.086219072 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:29 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=t9vp130q16p7gnpfppji2v7ql7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 63 32 31 38 30 33 63 39 63 63 65 35 65 30 61 65 61 36 33 33 35 62 63 61 66 37 61 62 65 39 38 62 61 64 65 36 35 65 32 63 66 62 37 65 62 38 62 33 66 33 35 62 62 65 34 37 62 36 38 33 66 36 65 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 40c21803c9cce5e0aea6335bcaf7abe98bade65e2cfb7eb8b3f35bbe47b683f6e90

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	47.110.247.171	80	6608	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:19.540853024 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:19.540884018 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:20.510713100 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:20 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 30 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059800
May 26, 2024 08:46:21.596216917 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:21.596746922 CEST	349	OUT	Data Raw: 64 61 74 61 3d 65 31 66 61 34 38 34 31 38 39 32 38 31 39 32 62 34 33 39 33 38 65 36 35 31 38 34 35 36 36 63 30 31 38 65 36 32 30 64 64 62 37 62 34 61 31 65 63 66 33 36 32 39 39 33 65 63 61 64 63 38 62 37 66 61 35 38 33 65 35 62 36 65 32 38 35 35 Data Ascii: data=e1fa48418928192b43938e65184566c018e620ddb7b4a1ecf362993ecadc8b7fa583e5b6e285520e4ec0e8636c4a3289d25fd6c6d55bcb2d6c44eebeb6cd0d1c8a2baef0252829545b364ca0986204f73689b839492e0f8f14a9daee75c8ebe20098189eec416bfe5e54f577a0db64a4d2da4eef34e449
May 26, 2024 08:46:22.408864975 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:22 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=cr3r5slgj1t1q7ne4c9k1orelh; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 62 61 66 65 39 36 39 38 63 66 38 34 64 31 34 62 66 64 63 31 37 38 61 32 65 62 36 35 61 35 37 64 34 61 61 32 35 38 61 62 39 66 31 35 34 33 31 34 31 36 32 31 64 34 30 32 36 39 39 65 30 62 39 66 33 31 38 64 0d 0a 30 0d 0a 0d 0a Data Ascii: 44bafe9698cf84d14bfdc178a2eb65a57d4aa258ab9f1543141621d402699e0b9f318d0
May 26, 2024 08:46:22.412851095 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:22.412851095 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:23.221014977 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:23 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059830
May 26, 2024 08:46:23.690030098 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:23.690030098 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:24.496825933 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:24 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 34 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059840
May 26, 2024 08:46:24.924056053 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:24.924228907 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 34 66 38 31 38 31 63 64 64 32 35 34 39 32 62 31 31 63 37 38 66 36 39 34 39 31 35 33 64 63 34 34 39 65 35 32 31 64 31 62 65 62 38 61 64 62 66 61 36 33 32 39 63 36 63 63 64 38 65 38 61 37 63 61 33 64 65 65 35 65 36 65 33 38 33 35 Data Ascii: data=b4f8181cdd25492b11c78f6949153dc449e521d1beb8adbfa6329c6ccd8e8a7ca3dee5e6e383550b4c94e5346a18668ed00dd3cfd05d9d2c6a44efedb7cd5b4cdb78fdf772787256556149a4c83750f26289ef6f1d2a59db11a9d5ec77ccbbe1539f4d98ba4b6af55954f57af08f67a3d0db4abd500b08
May 26, 2024 08:46:25.725505114 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:25 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=0lhvd0e7b4ollnlgmav2rgp6iv; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 30 38 33 30 35 39 61 37 64 61 64 31 34 30 35 39 31 63 33 30 65 36 31 61 35 33 39 66 62 66 64 39 38 37 35 64 63 31 39 35 38 66 66 34 62 36 31 63 36 35 62 62 32 36 31 65 37 36 36 34 65 66 38 35 0d 0a 30 0d 0a 0d 0a Data Ascii: 40083059a7dad140591c30e61a539fbfd9875dc1958ff4b61c65bb261e7664ef850
May 26, 2024 08:46:25.728863955 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:25.728864908 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:27.510983944 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:27 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 37 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059870

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	47.110.247.171	80	3356	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:19.545710087 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:19.545739889 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:20.474384069 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:20 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 30 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059800
May 26, 2024 08:46:21.321049929 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:21.321611881 CEST	349	OUT	Data Raw: 64 61 74 61 3d 62 36 61 65 34 66 34 31 64 39 37 35 31 65 37 61 31 36 39 37 64 32 36 39 31 39 34 32 33 64 39 66 34 66 62 30 32 63 38 64 62 32 65 39 61 65 65 63 61 37 33 35 39 37 36 64 39 38 64 39 64 64 32 66 66 35 38 32 62 30 62 33 65 35 64 34 30 Data Ascii: data=b6ae4f41d9751e7a1697d26919423d9f4fb02c8db2e9aeeca735976d98d9dd2ff582b0b3e5d4025a19c1e135681a3cdad15c819cd90ecc7a6543e8eebec30c1bdf2aaba326782d0700624ff19c3106a2318ae83f1c785c8c43a880e574ccece1099f4cc8ef4f63f65d54a57aa3d934f5808a1eeb34e34e
May 26, 2024 08:46:22.106409073 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:22 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=3h7617vfhhe2su2a6kf21b2f0k; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 62 34 66 61 39 31 33 66 63 64 30 62 37 64 63 33 36 31 31 39 66 37 32 33 61 33 32 31 65 31 38 37 62 39 32 38 64 63 32 36 64 65 62 36 64 37 37 37 33 33 38 36 37 36 64 35 64 32 33 65 33 38 39 35 35 65 37 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 44b4fa913fcd0b7dc36119f723a321e187b928dc26deb6d777338676d5d23e38955e7e0
May 26, 2024 08:46:22.113831997 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:22.113897085 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:23.712547064 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:23 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059830
May 26, 2024 08:46:24.345365047 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:24.345401049 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:24.816334009 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:24 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 34 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059840
May 26, 2024 08:46:24.908505917 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:24.912353039 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:26.307568073 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 36 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059860
May 26, 2024 08:46:26.697205067 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:26.697262049 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:27.059734106 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 36 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059860
May 26, 2024 08:46:29.283093929 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:29.283138037 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:30.056885004 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:29 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 39 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059890

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	47.110.247.171	80	6608	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:19.545814991 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:19.545845032 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:21.127873898 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:21 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 31 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059810
May 26, 2024 08:46:21.828844070 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:21.828844070 CEST	349	OUT	Data Raw: 64 61 74 61 3d 62 36 61 65 34 66 34 31 64 39 37 35 31 65 37 61 31 36 39 37 64 32 36 39 31 39 34 32 33 64 39 66 34 66 62 30 32 63 38 64 62 32 65 39 61 65 65 63 61 37 33 35 39 37 36 64 39 38 64 39 64 64 32 66 66 35 38 32 62 30 62 33 65 35 64 34 30 Data Ascii: data=b6ae4f41d9751e7a1697d26919423d9f4fb02c8db2e9aeeca735976d98d9dd2ff582b0b3e5d4025a19c1e135681a3cdad15c819cd90ecc7a6543e8eebec30c1bdf2aaba326782d0700624ff19c3106a2318ae83f1c785c8c43a880e574ccece1099f4cc8ef4f63f65d54a57aa3d934f5808a1eeb34e34e
May 26, 2024 08:46:22.652533054 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:22 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=28rhbvp82vbgpgh3gkd9rm7o43; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 62 31 61 61 63 30 36 61 30 39 63 31 34 31 39 33 35 35 62 39 35 37 35 33 31 62 35 62 30 64 35 32 63 64 34 61 35 37 66 65 66 66 31 30 33 64 62 38 61 65 31 30 34 65 33 64 62 62 39 33 32 37 37 30 34 30 61 63 0d 0a 30 0d 0a 0d 0a Data Ascii: 44b1aac06a09c1419355b957531b5b0d52cd4a57feff103db8ae104e3dbb93277040ac0
May 26, 2024 08:46:22.655715942 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:22.655715942 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:23.478504896 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:23 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059830
May 26, 2024 08:46:24.084456921 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:24.084963083 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:24.895876884 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:24 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 34 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059840
May 26, 2024 08:46:25.498904943 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:25.498905897 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 30 66 62 34 62 31 33 38 66 37 35 31 62 37 65 31 31 39 32 64 62 33 34 34 65 31 31 33 31 39 31 31 39 65 34 37 66 64 63 65 36 62 38 61 30 65 35 61 35 36 31 39 63 33 38 39 61 38 62 64 39 37 33 61 65 38 38 65 33 62 33 65 37 38 37 30 Data Ascii: data=b0fb4b138f751b7e1192db344e11319119e47fdce6b8a0e5a5619c389a8bd973ae88e3b3e7870b5f1bc7e4316f4e61dad10b86ccd70a9f2b6f10b9ecb3c9084edb7cfdf0212e7e5357624ba6cf3c03f03adeb53d1a73508843fdd6ea73cee9e003cc4ecaed4d63a45555f025a3d934a687dc4bbef25bfe
May 26, 2024 08:46:26.317342043 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=97itvfvrnddfeak3mbqvdt76mn; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 30 38 38 63 30 37 32 63 64 34 64 35 61 36 30 63 39 33 30 61 33 35 61 32 34 61 66 62 63 63 37 63 61 66 37 64 34 37 66 34 38 35 64 32 38 34 39 65 65 35 31 64 32 64 35 31 32 39 61 63 31 64 39 36 0d 0a 30 0d 0a 0d 0a Data Ascii: 40088c072cd4d5a60c930a35a24afbcc7caf7d47f485d2849ee51d2d5129ac1d960
May 26, 2024 08:46:26.372272015 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:26.372340918 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:27.190555096 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:27 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 37 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059870

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	47.110.247.171	80	4428	C:\Windows\System32\loaddll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:22.201791048 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:22.201816082 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:26.224266052 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 36 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059860
May 26, 2024 08:46:26.383455992 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:26 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 36 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059860
May 26, 2024 08:46:26.674170971 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:26.674170971 CEST	349	OUT	Data Raw: 64 61 74 61 3d 62 36 61 65 34 66 34 31 64 39 37 35 31 65 37 61 31 36 39 37 64 32 36 39 31 39 34 32 33 64 39 66 34 66 62 30 32 63 38 64 62 32 65 39 61 65 65 63 61 37 33 35 39 37 36 64 39 38 64 39 64 64 32 66 66 35 38 32 62 30 62 33 65 35 64 34 30 Data Ascii: data=b6ae4f41d9751e7a1697d26919423d9f4fb02c8db2e9aeeca735976d98d9dd2ff582b0b3e5d4025a19c1e135681a3cdad15c819cd90ecc7a6543e8eebec30c1bdf2aaba326782d0700624ff19c3106a2318ae83f1c785c8c43a880e574ccece1099f4cc8ef4f63f65d54a57aa3d934f5808a1eeb34e34e
May 26, 2024 08:46:28.047635078 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:27 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=sfgqv79bg2b2ce8mkg79bkqe93; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 62 36 66 66 64 32 37 30 66 37 39 30 63 62 36 30 65 35 34 36 36 38 34 36 39 34 39 61 65 38 64 34 65 37 64 62 39 62 64 63 34 34 63 33 35 37 62 61 39 35 35 38 32 35 31 31 64 32 37 34 39 33 38 36 32 31 31 63 0d 0a 30 0d 0a 0d 0a Data Ascii: 44b6ffd270f790cb60e5466846949ae8d4e7db9bdc44c357ba95582511d2749386211c0
May 26, 2024 08:46:28.057090998 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:28.057090998 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:28.842525959 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:28 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 38 38 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059880
May 26, 2024 08:46:29.623445034 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:29.623445988 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:31.100861073 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:31 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 31 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059910
May 26, 2024 08:46:32.329727888 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:32.333487988 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 30 66 62 34 62 31 33 38 66 37 35 31 62 37 65 31 31 39 32 64 62 33 34 34 65 31 31 33 31 39 31 31 39 65 34 37 66 64 63 65 36 62 38 61 30 65 35 61 35 36 31 39 63 33 38 39 61 38 62 64 39 37 33 61 65 38 38 65 33 62 33 65 37 38 37 30 Data Ascii: data=b0fb4b138f751b7e1192db344e11319119e47fdce6b8a0e5a5619c389a8bd973ae88e3b3e7870b5f1bc7e4316f4e61dad10b86ccd70a9f2b6f10b9ecb3c9084edb7cfdf0212e7e5357624ba6cf3c03f03adeb53d1a73508843fdd6ea73cee9e003cc4ecaed4d63a45555f025a3d934a687dc4bbef25bfe
May 26, 2024 08:46:33.278767109 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:33 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=qb78jfp1kdijsq995icq333i3f; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 32 36 34 31 66 37 66 63 35 33 32 31 34 38 65 38 61 31 61 30 31 34 38 63 36 31 32 33 63 36 64 37 38 32 37 65 63 33 30 36 61 62 35 38 33 31 63 35 39 65 33 65 66 39 30 36 32 38 38 39 37 30 38 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 402641f7fc532148e8a1a0148c6123c6d7827ec306ab5831c59e3ef906288970830
May 26, 2024 08:46:33.302265882 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:33.302265882 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:33.757553101 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:33 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059930

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	47.110.247.171	80	5600	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:26.260807037 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:26.260807037 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:30.636915922 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:30 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 30 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059900
May 26, 2024 08:46:32.366695881 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:32.366697073 CEST	349	OUT	Data Raw: 64 61 74 61 3d 62 32 61 65 31 35 34 31 64 66 37 33 31 39 37 66 34 66 63 33 38 38 36 36 31 66 34 36 36 30 63 32 34 35 65 33 32 65 38 62 62 31 65 65 61 64 65 63 66 34 33 39 39 39 33 31 63 38 64 61 64 61 37 62 66 32 38 62 65 39 62 37 62 31 38 64 30 Data Ascii: data=b2ae1541df73197f4fc388661f4660c245e32e8bb1eeadecf4399931c8dada7bf28be9b7b18d0a0e1ec4b33e6f47348dd50c879a840898776c41bde9e39f594c867effa770297d5252674eac9a350fa460dcef3a1e7358d711aad1e522c9e5b454984f9ae94b63a50f5ca627a58d36f682dc4cea65b64b
May 26, 2024 08:46:33.327378988 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:33 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=pfnckp0m5ije8l126hk9ed7nd1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 62 35 66 65 32 31 66 62 63 39 36 33 38 37 66 62 38 63 62 31 34 61 35 32 66 36 35 61 61 66 33 34 63 62 33 35 65 66 35 30 61 38 65 34 35 62 39 61 34 66 30 65 30 38 32 34 62 63 65 33 62 65 32 32 32 61 62 31 0d 0a 30 0d 0a 0d 0a Data Ascii: 44b5fe21fbc96387fb8cb14a52f65aaf34cb35ef50a8e45b9a4f0e0824bce3be222ab10
May 26, 2024 08:46:33.359569073 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:33.359570026 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:34.378757954 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:34 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 34 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059940
May 26, 2024 08:46:34.656220913 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:34.656220913 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:35.615966082 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:35 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 35 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059950
May 26, 2024 08:46:36.135622025 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:36.135622025 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 30 66 62 34 62 31 33 38 66 37 35 31 62 37 65 31 31 39 32 64 62 33 34 34 65 31 31 33 31 39 31 31 39 65 34 37 66 64 63 65 36 62 38 61 30 65 35 61 35 36 31 39 63 33 38 39 61 38 62 64 39 37 33 61 65 38 38 65 33 62 33 65 37 38 37 30 Data Ascii: data=b0fb4b138f751b7e1192db344e11319119e47fdce6b8a0e5a5619c389a8bd973ae88e3b3e7870b5f1bc7e4316f4e61dad10b86ccd70a9f2b6f10b9ecb3c9084edb7cfdf0212e7e5357624ba6cf3c03f03adeb53d1a73508843fdd6ea73cee9e003cc4ecaed4d63a45555f025a3d934a687dc4bbef25bfe
May 26, 2024 08:46:36.817828894 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:36 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=ffub0sgso4eqmm86vnn9mfgou5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 62 65 39 66 30 35 39 62 39 38 39 61 61 38 64 63 32 61 66 31 65 65 34 64 31 66 35 64 32 32 37 39 63 64 33 66 66 31 34 36 32 66 61 30 34 36 65 61 30 39 38 64 32 61 64 37 65 33 37 34 64 35 35 32 0d 0a 30 0d 0a 0d 0a Data Ascii: 40be9f059b989aa8dc2af1ee4d1f5d2279cd3ff1462fa046ea098d2ad7e374d5520
May 26, 2024 08:46:36.822120905 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:36.822120905 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:37.752377033 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:37 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059970

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	47.110.247.171	80	5600	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
May 26, 2024 08:46:26.260895014 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:26.260895014 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:30.228770971 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:30 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 30 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059900
May 26, 2024 08:46:32.343506098 CEST	360	OUT	POST /login/ver_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 349 Host: 47.110.247.171
May 26, 2024 08:46:32.343544006 CEST	349	OUT	Data Raw: 64 61 74 61 3d 62 36 61 65 34 66 34 31 64 39 37 35 31 65 37 61 31 36 39 37 64 32 36 39 31 39 34 32 33 64 39 66 34 66 62 30 32 63 38 64 62 32 65 39 61 65 65 63 61 37 33 35 39 37 36 64 39 38 64 39 64 64 32 66 66 35 38 32 62 30 62 33 65 35 64 34 30 Data Ascii: data=b6ae4f41d9751e7a1697d26919423d9f4fb02c8db2e9aeeca735976d98d9dd2ff582b0b3e5d4025a19c1e135681a3cdad15c819cd90ecc7a6543e8eebec30c1bdf2aaba326782d0700624ff19c3106a2318ae83f1c785c8c43a880e574ccece1099f4cc8ef4f63f65d54a57aa3d934f5808a1eeb34e34e
May 26, 2024 08:46:33.332230091 CEST	441	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:33 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=auslftb9pj75cfnaeav2jhto63; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 34 0d 0a 62 61 61 66 33 65 35 66 66 34 32 66 62 39 32 36 64 35 66 65 30 34 63 62 63 63 34 32 37 39 62 30 31 39 65 31 64 32 66 39 64 33 35 65 33 65 39 36 36 62 34 64 32 31 31 38 64 30 39 31 62 30 63 66 34 32 36 63 0d 0a 30 0d 0a 0d 0a Data Ascii: 44baaf3e5ff42fb926d5fe04cbcc4279b019e1d2f9d35e3e966b4d2118d091b0cf426c0
May 26, 2024 08:46:33.359570026 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:33.359669924 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:33.826241970 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:33 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059930
May 26, 2024 08:46:34.065404892 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:33 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 33 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059930
May 26, 2024 08:46:34.229428053 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:34.229515076 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:34.697076082 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:34 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 34 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059940
May 26, 2024 08:46:35.208514929 CEST	363	OUT	POST /login/jizhi2_m.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 301 Host: 47.110.247.171
May 26, 2024 08:46:35.208515882 CEST	301	OUT	Data Raw: 64 61 74 61 3d 62 62 66 64 34 66 31 37 38 65 37 35 31 62 37 38 34 31 63 32 64 61 36 37 34 32 31 31 33 35 63 35 34 62 65 30 32 31 64 65 65 31 65 66 66 63 65 63 61 36 36 33 39 38 33 30 63 38 38 64 64 31 32 65 61 66 38 32 62 35 62 31 65 37 38 30 30 Data Ascii: data=bbfd4f178e751b7841c2da67421135c54be021dee1effceca6639830c88dd12eaf82b5b1e78006591ac2b0323d4e67de8206da9ad80d9f7d3c10eceae2ca501cda77f1f5732c7d5d50661daccc6007f86088b83e487e508c19ab80ea20c9eeb107ca49c5be186af60b50a127f28537a88ed81bbe535f76
May 26, 2024 08:46:36.415792942 CEST	437	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:36 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Set-Cookie: PHPSESSID=8gt98rj60vkq1a31m7jpc1egee; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 34 30 0d 0a 37 35 65 37 32 38 36 36 37 30 35 31 66 61 30 33 33 64 37 31 34 38 61 31 32 36 33 35 64 32 39 63 33 36 30 63 39 65 37 61 39 31 63 37 63 65 32 63 35 36 65 37 38 66 37 65 34 39 39 63 36 64 31 66 0d 0a 30 0d 0a 0d 0a Data Ascii: 4075e728667051fa033d7148a12635d29c360c9e7a91c7ce2c56e78f7e499c6d1f0
May 26, 2024 08:46:36.419507980 CEST	355	OUT	POST /login/t.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 13 Host: 47.110.247.171
May 26, 2024 08:46:36.419507980 CEST	13	OUT	Data Raw: 26 74 79 70 65 3d 67 65 74 69 6d 65 32 Data Ascii: &type=getime2
May 26, 2024 08:46:37.384560108 CEST	215	IN	HTTP/1.1 200 OK Server: nginx/1.15.11 Date: Sun, 26 May 2024 06:46:37 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.3.4 Data Raw: 61 0d 0a 31 37 31 36 37 30 35 39 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: a17167059970

Target ID:	0
Start time:	02:46:14
Start date:	26/05/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll"
Imagebase:	0xcf0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:46:14
Start date:	26/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:46:14
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:46:14
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main
Imagebase:	0xaf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:46:14
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1
Imagebase:	0xaf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:46:21
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",main
Imagebase:	0xaf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: http://47.110.247.171/login/jizhi2_m.php	Virustotal: Detection: 8%	Perma Link
Source: http://47.110.247.171/login/t.phpj	Virustotal: Detection: 8%	Perma Link
Source: http://47.110.247.171/C	Virustotal: Detection: 8%	Perma Link
Source: http://47.110.247.171/login/ver_m.php	Virustotal: Detection: 7%	Perma Link
Source: http://47.110.247.171/s	Virustotal: Detection: 7%	Perma Link
Source: http://47.110.247.171/	Virustotal: Detection: 9%	Perma Link
Source: http://47.110.247.171:80/login/t.php	Virustotal: Detection: 9%	Perma Link

Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic	HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, /Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1Tkf1dTh5K.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 4428, Parent PID: 1028

General

Windows Analysis Report
1Tkf1dTh5K.dll