Edit tour

Windows Analysis Report
Reflective.dll

Overview

General Information

Sample Name:	Reflective.dll
Analysis ID:	697859
MD5:	9874aed4a2193b56546e4a8c83dbe4bc
SHA1:	cefcf0b595d3c334f6de9d355ea18c665df6dcfe
SHA256:	721bd583756cd987963d43add7321ea3d8fa348c283d0f0aa8f3b8ec0e4af0bc
Infos:

Detection

ReflectiveLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected ReflectiveLoader

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6004 cmdline: loaddll32.exe "C:\Users\user\Desktop\Reflective.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 5992 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5156 cmdline: rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2728 cmdline: rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5672 cmdline: rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_check MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2792 cmdline: rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_execute MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5480 cmdline: rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5300 cmdline: rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_check MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1400 cmdline: rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_execute MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1756 cmdline: rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_record MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5964 cmdline: rundll32.exe "C:\Users\user\Desktop\Reflective.dll",DestroyDllLogic MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Reflective.dll	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x3db2d6:$xs1: WS2_32.dll 0x3da275:$xs2: ReflectiveLoader
Reflective.dll	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x3da275:$x1: ReflectiveLoader
Reflective.dll	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
Reflective.dll	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Reflective.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x3da274:$s1: _ReflectiveLoader@ 0x3da275:$s2: ReflectiveLoader@
Reflective.dll	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1242c4:$generic_loader_x86: 83 C4 04 89 45 FC 8B 4D 08 0F BE 11 03 55 FC 89 55 FC 8B 45 08 83 C0 01 89 45 08 8B 4D 08 0F BE
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.267935524.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: loaddll32.exe PID: 6004	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x7cc6:$xs1: WS2_32.dll 0x870d:$xs1: WS2_32.dll 0x52e0:$xs2: ReflectiveLoader 0x8d7d:$xs2: ReflectiveLoader
Process Memory Space: loaddll32.exe PID: 6004	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security

HTTP traffic detected: POST /qy/mv HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0)Content-Length: 8Host: w.nanweng.cn

Source: unknown

DNS traffic detected: queries for: w.nanweng.cn

Source: global traffic	HTTP traffic detected: GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: feirar.softbd.cn
Source: global traffic	HTTP traffic detected: GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: feirar.softbd.cn
Source: global traffic	HTTP traffic detected: GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: feirar.softbd.cn
Source: global traffic	HTTP traffic detected: GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: feirar.softbd.cn
Source: global traffic	HTTP traffic detected: GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: feirar.softbd.cn
Source: global traffic	HTTP traffic detected: GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: feirar.softbd.cn

Source: unknown	HTTPS traffic detected: 123.57.37.83:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 123.57.37.83:443 -> 192.168.2.3:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 123.57.37.83:443 -> 192.168.2.3:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 123.57.37.83:443 -> 192.168.2.3:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 123.57.37.83:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 123.57.37.83:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: loaddll32.exe, 00000001.00000002.267935524.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: Reflective.dll, type: SAMPLE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Reflective.dll, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: Reflective.dll, type: SAMPLE	Matched rule: Rule for beacon reflective loader Author: unknown

Source: Reflective.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: Reflective.dll, type: SAMPLE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Source: Reflective.dll, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: Reflective.dll, type: SAMPLE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Reflective.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: Reflective.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: Process Memory Space: loaddll32.exe PID: 6004, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/

Source: Reflective.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Reflective.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_check
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_execute
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_check
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_execute
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_record
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",DestroyDllLogic
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_check	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_execute	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_check	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_execute	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_record	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",DestroyDllLogic	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Roaming\GlobalMgr.db

Jump to behavior

Source: classification engine

Classification label: mal76.evad.winDLL@21/1@12/2

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Reflective.dll

Static file information: File size 4344832 > 1048576

Source: Reflective.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Reflective.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2ec400

Source: Reflective.dll

Static PE information: More than 200 imports for KERNEL32.dll

Source: Reflective.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Reflective.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Reflective.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Reflective.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Reflective.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Reflective.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Reflective.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Reflective.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Reflective.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Reflective.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Reflective.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Reflective.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: Reflective.dll, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.267935524.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6004, type: MEMORYSTR

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000006.00000002.260130089.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.259212832.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257674265.00000000034A2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: rundll32.exe, 00000006.00000003.257497355.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.259410745.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.260312246.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257586313.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.266731713.0000000004E77000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.270536163.0000000004E6B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265977125.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.268366971.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.269769752.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 47.103.45.17 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 123.57.37.83 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: feirar.softbd.cn
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: w.nanweng.cn

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	1 Input Capture	1 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Reflective.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
w.nanweng.cn	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://zn1029.tdg68.com?248264Hello	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/fr0	0%	Avira URL Cloud	safe
http://qh.ie.zdbc.baicuoa.com/	0%	Avira URL Cloud	safe
https://hao.baidu.cn/NCxodHRwczovL2hhby5iYWlkdS5jbi97ZWE5NTdjZWJmZjVmNTllMTBlYTNiZDNiMDJkZWE3ZDR9ezV	0%	Avira URL Cloud	safe
http://qh.ie.zdbc.baicuoa.com/	0%	Virustotal		Browse
http://w.nanweng.cn/qy/mvk	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/frl	0%	Avira URL Cloud	safe
https://feirar.softbd.cn/api/gettool?uid=BLUrlBLHashBLHash	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/fb(	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/fr	0%	Avira URL Cloud	safe
https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty	0%	Avira URL Cloud	safe
https://hao.baidu.cn/error1	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/fb0	0%	Avira URL Cloud	safe
https://hao.baidu.cn/Software	0%	Avira URL Cloud	safe
http://zn1029.tdg68.com?248264	0%	Avira URL Cloud	safe
http://w.nanweng.cn/k-	0%	Avira URL Cloud	safe
http://qh.ie.zdbc.baicuoa.com/error1	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/mv	0%	Avira URL Cloud	safe
https://hao.baidu.cn/	0%	Avira URL Cloud	safe
https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig	0%	Avira URL Cloud	safe
https://feirar.softbd.cn/	0%	Avira URL Cloud	safe
http://w.nanweng.cn/	0%	Avira URL Cloud	safe
https://feirar.softbd.cn/api/gettool?uid=	0%	Avira URL Cloud	safe
https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm	0%	Avira URL Cloud	safe
http://w.nanweng.cn/qy/fb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
feirar.softbd.cn	123.57.37.83	true	true		unknown
w.nanweng.cn	47.103.45.17	true	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://w.nanweng.cn/qy/fr	true	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/mv	true	Avira URL Cloud: safe	unknown
https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig	true	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/fb	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://qh.ie.zdbc.baicuoa.com/	Reflective.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://zn1029.tdg68.com?248264Hello	Reflective.dll	false	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/fr0	rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://hao.baidu.cn/NCxodHRwczovL2hhby5iYWlkdS5jbi97ZWE5NTdjZWJmZjVmNTllMTBlYTNiZDNiMDJkZWE3ZDR9ezV	Reflective.dll	false	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/mvk	rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/frl	rundll32.exe, 00000008.00000003.265736430.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://feirar.softbd.cn/api/gettool?uid=BLUrlBLHashBLHash	Reflective.dll	false	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/fb(	rundll32.exe, 00000008.00000003.265736430.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://hao.baidu.cn/Software	Reflective.dll	false	Avira URL Cloud: safe	unknown
https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty	rundll32.exe, 00000008.00000002.269769752.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.266408334.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/qy/fb0	rundll32.exe, 00000006.00000003.259570302.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257552461.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.260228346.00000000034FC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=	Reflective.dll	false		high
https://hao.baidu.cn/error1	Reflective.dll	false	Avira URL Cloud: safe	unknown
http://zn1029.tdg68.com?248264	Reflective.dll	false	Avira URL Cloud: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	Reflective.dll	false		high
http://w.nanweng.cn/k-	rundll32.exe, 00000008.00000003.265778683.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	Reflective.dll	false		high
https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=uidappidappid	Reflective.dll	false		high
http://qh.ie.zdbc.baicuoa.com/error1	Reflective.dll	false	Avira URL Cloud: safe	unknown
https://hao.baidu.cn/	Reflective.dll	false	Avira URL Cloud: safe	unknown
https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=&type=SetUser	Reflective.dll	false		high
http://www.winimage.com/zLibDll	Reflective.dll	false		high
https://feirar.softbd.cn/	rundll32.exe, 00000006.00000002.260130089.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.259212832.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257552461.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265977125.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.268366971.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.269769752.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://w.nanweng.cn/	rundll32.exe, 00000008.00000003.265778683.0000000000F94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.270106278.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=F767A1ACFCB14	Reflective.dll	false		high
https://feirar.softbd.cn/api/gettool?uid=	Reflective.dll	false	Avira URL Cloud: safe	unknown
https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm	rundll32.exe, 00000008.00000003.268396085.0000000000F94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.270106278.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.103.45.17	w.nanweng.cn	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
123.57.37.83	feirar.softbd.cn	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	697859
Start date and time:	2022-09-06 03:29:29 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Reflective.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.winDLL@21/1@12/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 80.67.82.211, 80.67.82.235
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:30:22	API Interceptor	4x Sleep call for process: rundll32.exe modified
03:30:32	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
w.nanweng.cn	SEMqjw.exe	Get hash	malicious	Browse	47.102.38.15
	AdobeAcrobatProDC2021.005.20048#U4e2d#U6587#U76f4#U88c5#U7834#U89e3#U7248@2223_16081.exe	Get hash	malicious	Browse	47.102.38.15
	http%3a%2f%2f35274.url.9xiazaiqi.com%2fxiaz%2f%e6%9e%81%e5%93%81%e4%ba%94%e7%ac%94%e8%be%93%e5%85%a5%e6%b3%95%401840620_25070.exe	Get hash	malicious	Browse	39.108.27.173

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	server.exe	Get hash	malicious	Browse	114.55.112.69
	5K9psKLy5Z.elf	Get hash	malicious	Browse	140.205.153.136
	gmQ54TfSou.elf	Get hash	malicious	Browse	8.175.154.49
	PaFMttaWWR.elf	Get hash	malicious	Browse	47.126.14.27
	Invoice_12_2022FGT_UKESTATE.exe	Get hash	malicious	Browse	121.199.35.98
	xBhep5s7Bl.elf	Get hash	malicious	Browse	8.184.34.235
	qF3BeEZkKL.elf	Get hash	malicious	Browse	223.7.237.156
	9QgbLAVmhw.exe	Get hash	malicious	Browse	118.31.70.184
	mips-20220903-1046.elf	Get hash	malicious	Browse	123.56.214.179
	9SNCHbNBia.exe	Get hash	malicious	Browse	120.79.140.182
	UiuZNHab2t.elf	Get hash	malicious	Browse	47.111.100.133
	MszUAO3Z9O.elf	Get hash	malicious	Browse	47.105.136.71
	0zmuEJLYOm.elf	Get hash	malicious	Browse	8.152.213.64
	http://www.soliscloud.com	Get hash	malicious	Browse	106.11.43.113
	sM6UPyyNir.exe	Get hash	malicious	Browse	39.107.34.197
	fMPmDTlN15.exe	Get hash	malicious	Browse	39.107.34.197
	JBaNxUuW2X.elf	Get hash	malicious	Browse	121.196.172.195
	90YvkWBWD0	Get hash	malicious	Browse	123.56.103.89
	tGawAEY26l.exe	Get hash	malicious	Browse	39.107.34.197
	x86.elf	Get hash	malicious	Browse	121.197.47.194
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	server.exe	Get hash	malicious	Browse	114.55.112.69
	5K9psKLy5Z.elf	Get hash	malicious	Browse	140.205.153.136
	gmQ54TfSou.elf	Get hash	malicious	Browse	8.175.154.49
	PaFMttaWWR.elf	Get hash	malicious	Browse	47.126.14.27
	Invoice_12_2022FGT_UKESTATE.exe	Get hash	malicious	Browse	121.199.35.98
	xBhep5s7Bl.elf	Get hash	malicious	Browse	8.184.34.235
	qF3BeEZkKL.elf	Get hash	malicious	Browse	223.7.237.156
	9QgbLAVmhw.exe	Get hash	malicious	Browse	118.31.70.184
	mips-20220903-1046.elf	Get hash	malicious	Browse	123.56.214.179
	9SNCHbNBia.exe	Get hash	malicious	Browse	120.79.140.182
	UiuZNHab2t.elf	Get hash	malicious	Browse	47.111.100.133
	MszUAO3Z9O.elf	Get hash	malicious	Browse	47.105.136.71
	0zmuEJLYOm.elf	Get hash	malicious	Browse	8.152.213.64
	http://www.soliscloud.com	Get hash	malicious	Browse	106.11.43.113
	sM6UPyyNir.exe	Get hash	malicious	Browse	39.107.34.197
	fMPmDTlN15.exe	Get hash	malicious	Browse	39.107.34.197
	JBaNxUuW2X.elf	Get hash	malicious	Browse	121.196.172.195
	90YvkWBWD0	Get hash	malicious	Browse	123.56.103.89
	tGawAEY26l.exe	Get hash	malicious	Browse	39.107.34.197
	x86.elf	Get hash	malicious	Browse	121.197.47.194

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	quotation.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	f3Vqoz8nwq.exe	Get hash	malicious	Browse	123.57.37.83
	Q9MF4gUugY.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	h6gD49Yi1f.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	h6gD49Yi1f.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83
	file.exe	Get hash	malicious	Browse	123.57.37.83

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.477555292069875
Encrypted:	false
SSDEEP:	3:LDIdyGK3M+SNBWdyDMpeBDATDRNBWdyDMpe7V8reKvRiQGVXVK8E:3TWNBtDs5NNBtDseQpG5gz
MD5:	EE6357BC38570B42EE8A6656A6F0E694
SHA1:	8482B0518C6BCA441B9A0ED50C9609D83E736774
SHA-256:	B57399A88049F24D4CF5689A6A8F0DF5D31748A17438CA7922332250E005ADE8
SHA-512:	DF054DC96703BD5770A4149FED204A17D1274347CAD0265E61611DC9FC51197DD4E08C7D779E654D4865415635EB1E38547DD578D377FCB595CB28C791B22377
Malicious:	false
Preview:	[Profile]..config1=fe6c1464aadf85f8315663af8f631471..config2=fe6c1464aadf85f8315663af8f631471..config3=..config4=1b3d82ff206f2697db14bb5ee90b3a8d..config5=1..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.492602719219229
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Reflective.dll
File size:	4344832
MD5:	9874aed4a2193b56546e4a8c83dbe4bc
SHA1:	cefcf0b595d3c334f6de9d355ea18c665df6dcfe
SHA256:	721bd583756cd987963d43add7321ea3d8fa348c283d0f0aa8f3b8ec0e4af0bc
SHA512:	1eb7e24b680ca0c5da1d5fd0dc8c5ac2fb0267e28b6d8a47a5c609c9ae4c3d068e9e2eb192f16743b612e3a6313f30e46c7d8a1f4155f27104fa3090a1a46ae9
SSDEEP:	49152:6FrIDN7WMfORfqWKm52Xzet9W8Lk6vs7MFu6z0YEj3rLtOhVbjBdEVizKQmAbHDO:6FsDdORyM5/9W8Aos4ciEj31VpAbs
TLSH:	48165B11A3C14025F4F725F5AAF9466A9C287E3007249CDB93E0355A96B09E3FE35E2F
File Content Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........J.XO$.XO$.XO$.....@O$......O$.....zO$.....RO$..'!..O$..' .{O$..''.CO$..&'.UO$..& .hN$..& .9O$.Q7..]O$..&,.hO$.XO%..N$.Q7..yO$

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1029fdfc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x6304975F [Tue Aug 23 09:01:19 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a4fb33c29b0d05630ae1f684908fd1a2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F7280C382B7h
call 00007F7280C39353h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F7280C38168h
add esp, 0Ch
pop ebp
retn 000Ch
push 00000010h
push 103D9B68h
call 00007F7280C3923Ah
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
mov byte ptr [ebp-19h], bl
mov dword ptr [ebp-04h], ebx
cmp ebx, dword ptr [ebp+10h]
je 00007F7280C382CDh
mov ecx, dword ptr [ebp+14h]
call dword ptr [102EE5C0h]
mov ecx, dword ptr [ebp+08h]
call dword ptr [ebp+14h]
mov eax, dword ptr [ebp+0Ch]
add dword ptr [ebp+08h], eax
inc ebx
mov dword ptr [ebp-20h], ebx
jmp 00007F7280C38292h
mov al, 01h
mov byte ptr [ebp-19h], al
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F7280C382CDh
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
leave
retn 0014h
mov ebx, dword ptr [ebp-20h]
mov al, byte ptr [ebp-19h]
test al, al
jne 00007F7280C382C1h
push dword ptr [ebp+18h]
push ebx
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F7280C3833Bh
ret
push 0000000Ch
push 103D9B88h
call 00007F7280C391C6h
mov byte ptr [ebp-19h], 00000000h
mov ebx, dword ptr [ebp+0Ch]
mov eax, ebx
mov edi, dword ptr [ebp+10h]
imul eax, edi
mov esi, dword ptr [ebp+08h]
add esi, eax
mov dword ptr [ebp+08h], esi
and dword ptr [ebp-04h], 00000000h
mov eax, edi
dec edi
mov dword ptr [ebp+10h], edi
test eax, eax
je 00007F7280C382C7h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3db9a0	0xe8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3dba88	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x430000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x431000	0x1b1c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3ce9b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3cea88	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3ce9e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2ee000	0x5c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ec3cc	0x2ec400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2ee000	0xef90c	0xefa00	False	0.22785541373239437	data	4.855031920499018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3de000	0x51ddc	0x2d600	False	0.04915633608815427	lif file	4.198034128154884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x430000	0x1e0	0x200	False	0.52734375	data	4.708553337303423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x431000	0x1b1c0	0x1b200	False	0.6515967021889401	GLS_BINARY_LSB_FIRST	6.688688952693794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x430060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	DisableThreadLibraryCalls, FindFirstFileA, GetComputerNameW, LocalFree, FindResourceW, SizeofResource, LoadResource, LockResource, lstrlenW, GetFileSize, CreateProcessW, WriteFile, CreateFileA, GetFileAttributesA, SetFileAttributesA, WideCharToMultiByte, MultiByteToWideChar, GetVersionExW, CreateDirectoryW, CreateDirectoryA, GetEnvironmentVariableW, GetEnvironmentVariableA, GetModuleFileNameA, TerminateProcess, GetCurrentProcess, OpenProcess, Process32Next, Process32First, CreateToolhelp32Snapshot, FindNextFileW, FindFirstFileW, DeleteFileW, DeleteFileA, SetFileAttributesW, GetTempPathW, GetTempPathA, GetSystemDirectoryW, OutputDebugStringW, OutputDebugStringA, GetModuleHandleW, GetSystemInfo, FindClose, Sleep, WaitForSingleObject, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, ResumeThread, GetLastError, TerminateThread, RaiseException, GetProcAddress, DecodePointer, CreateFileW, MapViewOfFile, CreateFileMappingW, GetSystemTime, LockFileEx, CreateFileMappingA, UnlockFile, HeapCompact, GetVersionExA, FlushViewOfFile, GetDiskFreeSpaceA, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, CloseHandle, ReadFile, LockFile, GetDiskFreeSpaceW, HeapCreate, TryEnterCriticalSection, AreFileApisANSI, WriteConsoleW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, SetStdHandle, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryW, GetTimeZoneInformation, FlushFileBuffers, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetConsoleCP, ReadConsoleW, SetConsoleMode, ReadConsoleInputA, GetConsoleMode, ExitProcess, SetConsoleCtrlHandler, FindFirstFileExW, SetFilePointerEx, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, GetDriveTypeW, GetFileAttributesExW, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, CreateThread, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, EncodePointer, FormatMessageW, GetSystemTimeAsFileTime, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, CreateEventW, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, FreeLibrary, LoadLibraryW, QueryPerformanceFrequency, GetTickCount, QueryPerformanceCounter, MoveFileExW, WaitForMultipleObjects, GetFileType, GetStdHandle, PeekNamedPipe, SetLastError, FormatMessageA, VerSetConditionMask, VerifyVersionInfoW, FindNextFileA, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindResourceExW, WritePrivateProfileStringA, GetFileAttributesW, DeviceIoControl, GetLocalTime, lstrcmpA, GetPrivateProfileStringW, GetSystemDirectoryA, GetVolumeInformationA, IsBadReadPtr, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, GetPrivateProfileStringA, LoadLibraryA, VirtualProtect, TlsAlloc, TlsGetValue, TlsSetValue, SetFilePointer, LoadLibraryExA, InterlockedCompareExchange, GetModuleHandleA, LocalAlloc, GetCurrentThread, VirtualQuery, VirtualAlloc, VirtualFree, GetNativeSystemInfo, FlushInstructionCache, VirtualProtectEx, VirtualQueryEx, GetCurrentThreadId, GetThreadContext, SetThreadContext, SuspendThread, LoadLibraryExW, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetCurrentProcessId, GlobalMemoryStatus, FlushConsoleInputBuffer, InterlockedExchange, SwitchToThread, SetEndOfFile, GetPrivateProfileIntA, CopyFileW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, SetEvent, ResetEvent, WaitForSingleObjectEx
USER32.dll	GetDesktopWindow, GetUserObjectInformationW, MessageBoxA, wsprintfW, GetProcessWindowStation
ADVAPI32.dll	RegOpenKeyExW, GetLengthSid, SetSecurityInfo, InitializeAcl, AddAce, DeleteAce, GetAce, GetAclInformation, GetSecurityInfo, RegCloseKey, RegEnumValueW, RegQueryValueExW, RegCreateKeyExW, CryptAcquireContextW, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptGenRandom, RegDeleteValueW, ConvertSidToStringSidW, IsValidSid, GetSidIdentifierAuthority, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, CryptAcquireContextA, CryptDeriveKey, CryptDestroyKey, CryptEncrypt, CryptDecrypt, GetTokenInformation, OpenThreadToken, DeregisterEventSource, RegisterEventSourceA, ReportEventA, RegDeleteKeyW, RegSetValueExA, ConvertSidToStringSidA, LookupAccountNameW, RegQueryValueExA, RegOpenKeyExA, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, RegSetValueExW, RegEnumKeyExW, RegOpenKeyW
SHELL32.dll	SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetFolderPathA, SHGetSpecialFolderPathA, ShellExecuteW, SHGetSpecialFolderPathW, SHGetMalloc, SHGetFolderPathW
ole32.dll	CoInitializeEx, CoUninitialize, CoCreateInstance, CoTaskMemFree, CoCreateGuid, CoInitialize
OLEAUT32.dll	SysAllocStringLen, SysFreeString, VariantClear, SysAllocString
WINHTTP.dll	WinHttpSendRequest, WinHttpQueryDataAvailable, WinHttpReadData, WinHttpReceiveResponse, WinHttpCrackUrl, WinHttpSetTimeouts, WinHttpOpenRequest, WinHttpOpen, WinHttpCloseHandle, WinHttpConnect
WLDAP32.dll
IPHLPAPI.DLL	GetAdaptersInfo
SHLWAPI.dll	StrStrIA, StrStrIW, PathAppendW, PathFileExistsW, PathRemoveFileSpecW, PathAddBackslashA, PathAppendA, PathFileExistsA
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WININET.dll	InternetReadFile, InternetCrackUrlA, HttpSendRequestA, HttpOpenRequestA, InternetConnectA, HttpQueryInfoW, InternetOpenA, InternetCloseHandle, InternetCanonicalizeUrlA
NETAPI32.dll	Netbios
WS2_32.dll	closesocket, recv, gethostname, sendto, recvfrom, freeaddrinfo, getaddrinfo, select, send, WSAGetLastError, bind, connect, getpeername, getsockname, getsockopt, htons, ntohs, setsockopt, socket, WSASetLastError, WSAIoctl, WSAStartup, WSACleanup, accept, htonl, listen, ioctlsocket, __WSAFDIsSet

Exports

Name	Ordinal	Address
CreateDllLogic	1	0x10109710
CreateDllLogic_check	2	0x10109770
CreateDllLogic_execute	3	0x101097d0
CreateDllLogic_record	4	0x10109830
DestroyDllLogic	5	0x100e58b0
_ReflectiveLoader@4	6	0x10124770

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 6, 2022 03:30:21.535502911 CEST	49720	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.536010981 CEST	49721	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.536442995 CEST	49722	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.622503996 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:21.622561932 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:21.622745991 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:21.630573988 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:21.630604982 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:21.735517025 CEST	80	49720	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.735712051 CEST	49720	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.737380981 CEST	49720	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.737488985 CEST	49720	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.740102053 CEST	80	49721	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.740258932 CEST	49721	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.740884066 CEST	49721	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.741005898 CEST	49721	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.745518923 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:21.745563984 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:21.745637894 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:21.755661011 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:21.755705118 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:21.762319088 CEST	49725	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.762388945 CEST	49726	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.762434006 CEST	49727	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.762500048 CEST	80	49722	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.762586117 CEST	49722	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.762898922 CEST	49722	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.762953997 CEST	49722	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.937669992 CEST	80	49720	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.937697887 CEST	80	49720	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.937818050 CEST	80	49720	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.942708015 CEST	80	49721	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.942728996 CEST	80	49721	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.942917109 CEST	80	49721	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.963768959 CEST	80	49727	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.963910103 CEST	49727	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.964160919 CEST	80	49726	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.964222908 CEST	49726	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.964245081 CEST	49727	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.964304924 CEST	49727	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.964806080 CEST	49726	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.964871883 CEST	49726	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.985125065 CEST	80	49725	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.985225916 CEST	49725	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.985635042 CEST	49725	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.985678911 CEST	49725	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.987616062 CEST	49721	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:21.988903999 CEST	80	49722	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.988961935 CEST	80	49722	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:21.989026070 CEST	80	49722	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.018794060 CEST	49720	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:22.166033983 CEST	80	49727	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.166054010 CEST	80	49727	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.166069031 CEST	80	49727	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.166311026 CEST	80	49726	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.166343927 CEST	80	49726	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.166644096 CEST	80	49726	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.186456919 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.186562061 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.189754963 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.189778090 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.190016031 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.206319094 CEST	49726	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:22.206327915 CEST	49722	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:22.206337929 CEST	49727	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:22.208329916 CEST	80	49725	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.208348036 CEST	80	49725	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.208471060 CEST	80	49725	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:22.253196001 CEST	49725	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:22.315694094 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.318460941 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.318586111 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.360757113 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.360790968 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.361407042 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.409455061 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.561609983 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.603374958 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.705210924 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.747375011 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.751641989 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.751702070 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.751776934 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.753596067 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.753632069 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.753654003 CEST	49723	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.753674030 CEST	443	49723	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.902914047 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.902992010 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.903058052 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.928576946 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.928615093 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:22.928654909 CEST	49724	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:22.928664923 CEST	443	49724	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:23.512208939 CEST	49720	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:23.512309074 CEST	49721	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:23.512356043 CEST	49722	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:23.610135078 CEST	49727	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:23.610152960 CEST	49725	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:23.610227108 CEST	49726	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:27.900346994 CEST	49728	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:27.900372982 CEST	49729	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:27.900443077 CEST	49730	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.103446960 CEST	80	49730	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.103653908 CEST	49730	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.104566097 CEST	49730	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.104672909 CEST	49730	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.117033005 CEST	80	49728	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.117206097 CEST	49728	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.118088007 CEST	49728	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.118252039 CEST	49728	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.126355886 CEST	80	49729	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.126519918 CEST	49729	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.127408028 CEST	49729	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.127543926 CEST	49729	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.140527964 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:28.140578985 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:28.140719891 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:28.149158001 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:28.149205923 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:28.307714939 CEST	80	49730	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.307760000 CEST	80	49730	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.307800055 CEST	80	49730	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.334357977 CEST	80	49728	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.334379911 CEST	80	49728	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.334583998 CEST	80	49728	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.344491005 CEST	80	49729	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.344605923 CEST	80	49729	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.344790936 CEST	80	49729	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:28.363110065 CEST	49730	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.378710985 CEST	49728	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.385472059 CEST	49729	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:28.698299885 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:28.698415995 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:28.701416969 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:28.701426983 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:28.701652050 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:28.753740072 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:28.991920948 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:29.039370060 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:29.191205978 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:29.191276073 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:29.191364050 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:29.192481041 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:29.192497015 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:29.192610979 CEST	49731	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:29.192619085 CEST	443	49731	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:29.964632988 CEST	49730	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:29.964832067 CEST	49728	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:29.964979887 CEST	49729	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.639255047 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:31.639292955 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:31.639391899 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:31.658031940 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:31.658052921 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:31.662638903 CEST	49736	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.662715912 CEST	49735	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.662864923 CEST	49737	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.857225895 CEST	80	49737	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:31.857361078 CEST	49737	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.878012896 CEST	49737	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.878062963 CEST	49737	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.889481068 CEST	80	49736	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:31.889637947 CEST	49736	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.889942884 CEST	80	49735	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:31.890021086 CEST	49735	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.891355991 CEST	49736	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.891402006 CEST	49736	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.892486095 CEST	49735	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:31.892548084 CEST	49735	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.072132111 CEST	80	49737	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.072149038 CEST	80	49737	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.072357893 CEST	80	49737	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.113404036 CEST	49737	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.118026018 CEST	80	49736	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.118041039 CEST	80	49736	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.118334055 CEST	80	49736	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.119046926 CEST	80	49735	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.119160891 CEST	80	49735	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.119409084 CEST	80	49735	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.160286903 CEST	49736	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.160785913 CEST	49735	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.219171047 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.219244003 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.252980947 CEST	49739	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.253052950 CEST	49738	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.253931999 CEST	49740	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.471071959 CEST	80	49740	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.471244097 CEST	49740	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.474359989 CEST	80	49739	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.474464893 CEST	49739	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.481601954 CEST	80	49738	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.481693029 CEST	49738	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.485933065 CEST	49740	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.486159086 CEST	49740	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.487598896 CEST	49739	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.487664938 CEST	49739	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.488154888 CEST	49738	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.488369942 CEST	49738	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.489429951 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.489453077 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.489522934 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.494983912 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.495001078 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.700481892 CEST	80	49740	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.700501919 CEST	80	49740	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.702049971 CEST	80	49740	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.708220959 CEST	80	49739	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.708236933 CEST	80	49739	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.708705902 CEST	80	49739	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.714658022 CEST	80	49738	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.714674950 CEST	80	49738	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.715179920 CEST	80	49738	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:32.754107952 CEST	49739	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.755207062 CEST	49740	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.769742012 CEST	49738	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.788778067 CEST	49745	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.789338112 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.789380074 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.789390087 CEST	49746	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.789412022 CEST	49744	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:32.789459944 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.795222998 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.795248032 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.839961052 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:32.839993000 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.840218067 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:32.894769907 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.007000923 CEST	80	49744	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.007167101 CEST	49744	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.009291887 CEST	49744	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.009339094 CEST	49744	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.014621019 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.014713049 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.015321016 CEST	80	49745	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.015342951 CEST	80	49746	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.015440941 CEST	49745	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.015760899 CEST	49746	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.020577908 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.020600080 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.020987034 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.033520937 CEST	49745	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.033601046 CEST	49745	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.034578085 CEST	49746	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.034735918 CEST	49746	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.066628933 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.225120068 CEST	80	49744	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.225172997 CEST	80	49744	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.226861000 CEST	80	49744	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.245659113 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.259574890 CEST	80	49745	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.259618998 CEST	80	49745	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.259886980 CEST	80	49746	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.259931087 CEST	80	49745	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.259965897 CEST	80	49746	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.260555983 CEST	80	49746	47.103.45.17	192.168.2.3
Sep 6, 2022 03:30:33.270169973 CEST	49744	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.287420988 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.301135063 CEST	49745	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.301145077 CEST	49746	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:33.354798079 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.354903936 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.449256897 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.449366093 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.449451923 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.449765921 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.449794054 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.449826002 CEST	49734	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.449841976 CEST	443	49734	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.469676018 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.469707966 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.470232010 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.478018999 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.519803047 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.523366928 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.662218094 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.662344933 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.662415028 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.663187027 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.663206100 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:33.663218975 CEST	49742	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:33.663224936 CEST	443	49742	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:34.229949951 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:34.271456957 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:34.428205013 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:34.428308964 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:34.429164886 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:34.430614948 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:34.430660963 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:34.430681944 CEST	49747	443	192.168.2.3	123.57.37.83
Sep 6, 2022 03:30:34.430696011 CEST	443	49747	123.57.37.83	192.168.2.3
Sep 6, 2022 03:30:34.736468077 CEST	49735	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:34.736553907 CEST	49737	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:34.736623049 CEST	49736	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:37.802726984 CEST	49738	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:37.802808046 CEST	49740	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:37.802944899 CEST	49739	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:38.021056890 CEST	49744	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:38.021102905 CEST	49746	80	192.168.2.3	47.103.45.17
Sep 6, 2022 03:30:38.021209955 CEST	49745	80	192.168.2.3	47.103.45.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 6, 2022 03:30:21.216397047 CEST	53975	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:21.342720985 CEST	51139	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:21.444014072 CEST	52955	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:21.455902100 CEST	60582	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:21.498991013 CEST	53	53975	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:21.620800972 CEST	53	51139	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:21.725657940 CEST	53	52955	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:21.759552956 CEST	53	60582	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:27.867680073 CEST	57134	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:27.871007919 CEST	62050	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:27.885759115 CEST	53	57134	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:28.136857986 CEST	53	62050	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:31.342751980 CEST	56042	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:31.342984915 CEST	59636	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:31.628815889 CEST	53	59636	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:31.659616947 CEST	53	56042	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:32.215157032 CEST	55638	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:32.221647024 CEST	57704	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:32.241300106 CEST	53	57704	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:32.486915112 CEST	53	55638	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:32.713514090 CEST	60767	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:32.726579905 CEST	65107	53	192.168.2.3	8.8.8.8
Sep 6, 2022 03:30:32.735215902 CEST	53	60767	8.8.8.8	192.168.2.3
Sep 6, 2022 03:30:32.746033907 CEST	53	65107	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 6, 2022 03:30:21.216397047 CEST	192.168.2.3	8.8.8.8	0x91bd	Standard query (0)	w.nanweng.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:21.342720985 CEST	192.168.2.3	8.8.8.8	0x8e3a	Standard query (0)	feirar.softbd.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:21.444014072 CEST	192.168.2.3	8.8.8.8	0x51ab	Standard query (0)	feirar.softbd.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:21.455902100 CEST	192.168.2.3	8.8.8.8	0xfda8	Standard query (0)	w.nanweng.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:27.867680073 CEST	192.168.2.3	8.8.8.8	0xaf55	Standard query (0)	w.nanweng.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:27.871007919 CEST	192.168.2.3	8.8.8.8	0x7610	Standard query (0)	feirar.softbd.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:31.342751980 CEST	192.168.2.3	8.8.8.8	0xb158	Standard query (0)	w.nanweng.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:31.342984915 CEST	192.168.2.3	8.8.8.8	0x1775	Standard query (0)	feirar.softbd.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.215157032 CEST	192.168.2.3	8.8.8.8	0x7c02	Standard query (0)	feirar.softbd.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.221647024 CEST	192.168.2.3	8.8.8.8	0x52f7	Standard query (0)	w.nanweng.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.713514090 CEST	192.168.2.3	8.8.8.8	0x584b	Standard query (0)	w.nanweng.cn	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.726579905 CEST	192.168.2.3	8.8.8.8	0x4c5a	Standard query (0)	feirar.softbd.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 6, 2022 03:30:21.498991013 CEST	8.8.8.8	192.168.2.3	0x91bd	No error (0)	w.nanweng.cn	47.103.45.17	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:21.620800972 CEST	8.8.8.8	192.168.2.3	0x8e3a	No error (0)	feirar.softbd.cn	123.57.37.83	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:21.725657940 CEST	8.8.8.8	192.168.2.3	0x51ab	No error (0)	feirar.softbd.cn	123.57.37.83	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:21.759552956 CEST	8.8.8.8	192.168.2.3	0xfda8	No error (0)	w.nanweng.cn	47.103.45.17	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:27.885759115 CEST	8.8.8.8	192.168.2.3	0xaf55	No error (0)	w.nanweng.cn	47.103.45.17	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:28.136857986 CEST	8.8.8.8	192.168.2.3	0x7610	No error (0)	feirar.softbd.cn	123.57.37.83	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:31.628815889 CEST	8.8.8.8	192.168.2.3	0x1775	No error (0)	feirar.softbd.cn	123.57.37.83	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:31.659616947 CEST	8.8.8.8	192.168.2.3	0xb158	No error (0)	w.nanweng.cn	47.103.45.17	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.241300106 CEST	8.8.8.8	192.168.2.3	0x52f7	No error (0)	w.nanweng.cn	47.103.45.17	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.486915112 CEST	8.8.8.8	192.168.2.3	0x7c02	No error (0)	feirar.softbd.cn	123.57.37.83	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.735215902 CEST	8.8.8.8	192.168.2.3	0x584b	No error (0)	w.nanweng.cn	47.103.45.17	A (IP address)	IN (0x0001)
Sep 6, 2022 03:30:32.746033907 CEST	8.8.8.8	192.168.2.3	0x4c5a	No error (0)	feirar.softbd.cn	123.57.37.83	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

feirar.softbd.cn

w.nanweng.cn

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49723	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49724	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49726	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:21.964806080 CEST	667	OUT	POST /qy/fr HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:21.964871883 CEST	667	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:22.166644096 CEST	671	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:22 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.32 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49725	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:21.985635042 CEST	668	OUT	POST /qy/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:21.985678911 CEST	668	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:22.208471060 CEST	676	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:22 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.31 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49730	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:28.104566097 CEST	683	OUT	POST /qy/fr HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:28.104672909 CEST	683	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:28.307800055 CEST	685	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:28 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.36 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49728	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:28.118088007 CEST	683	OUT	POST /qy/mv HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:28.118252039 CEST	684	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:28.334583998 CEST	686	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:28 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.34 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49729	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:28.127408028 CEST	684	OUT	POST /qy/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:28.127543926 CEST	684	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:28.344790936 CEST	687	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:28 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.35 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49737	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:31.878012896 CEST	694	OUT	POST /qy/mv HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:31.878062963 CEST	694	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:32.072357893 CEST	696	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:31 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.32 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49736	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:31.891355991 CEST	695	OUT	POST /qy/fr HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:31.891402006 CEST	695	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:32.118334055 CEST	697	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:31 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.38 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49735	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:31.892486095 CEST	695	OUT	POST /qy/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:31.892548084 CEST	695	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:32.119409084 CEST	698	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:31 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.33 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.3	49740	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:32.485933065 CEST	707	OUT	POST /qy/mv HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:32.486159086 CEST	707	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:32.702049971 CEST	711	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:32 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.32 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.3	49739	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:32.487598896 CEST	708	OUT	POST /qy/fr HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:32.487664938 CEST	708	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:32.708705902 CEST	712	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:32 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.38 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49731	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.3	49738	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:32.488154888 CEST	708	OUT	POST /qy/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:32.488369942 CEST	708	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:32.715179920 CEST	713	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:32 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.32 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.3	49744	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:33.009291887 CEST	717	OUT	POST /qy/fr HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:33.009339094 CEST	717	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:33.226861000 CEST	722	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:33 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.36 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.3	49745	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:33.033520937 CEST	721	OUT	POST /qy/mv HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:33.033601046 CEST	721	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:33.259931087 CEST	724	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:33 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.37 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.3	49746	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:33.034578085 CEST	721	OUT	POST /qy/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:33.034735918 CEST	722	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:33.260555983 CEST	725	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:33 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.34 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49734	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49742	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49747	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49720	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:21.737380981 CEST	663	OUT	POST /qy/mv HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:21.737488985 CEST	663	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:21.937818050 CEST	666	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:21 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.37 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49721	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:21.740884066 CEST	663	OUT	POST /qy/fb HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:21.741005898 CEST	663	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:21.942917109 CEST	667	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:21 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.33 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49722	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:21.762898922 CEST	665	OUT	POST /qy/fr HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:21.762953997 CEST	665	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:21.989026070 CEST	669	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:21 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.37 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49727	47.103.45.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Sep 6, 2022 03:30:21.964245081 CEST	667	OUT	POST /qy/mv HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW1; Trident/5.0) Content-Length: 8 Host: w.nanweng.cn
Sep 6, 2022 03:30:21.964304924 CEST	667	OUT	Data Raw: 6a 73 3d 6e 75 6c 6c 0a Data Ascii: js=null
Sep 6, 2022 03:30:22.166069031 CEST	670	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 06 Sep 2022 01:30:22 GMT Content-Type: text/html Content-Length: 608 Connection: keep-alive Via: HTTP/1.1 SLB.35 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 54 65 6d 70 6f 72 61 72 69 6c 79 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>503 Service Temporarily Unavailable</title></head><body bgcolor="white"><center><h1>503 Service Temporarily Unavailable</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49723	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2022-09-06 01:30:22 UTC	OUT	GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: feirar.softbd.cn
2022-09-06 01:30:22 UTC	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.3.11 Cache-control: no-store, max-age=0, no-cache Date: Tue, 06 Sep 2022 01:30:22 GMT
2022-09-06 01:30:22 UTC	IN	Data Raw: 31 34 0d 0a 7b 0a 20 20 20 20 22 45 72 72 43 6f 64 65 22 3a 20 30 0a 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 14{ "ErrCode": 0}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49724	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2022-09-06 01:30:22 UTC	OUT	GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: feirar.softbd.cn
2022-09-06 01:30:22 UTC	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.3.11 Cache-control: no-store, max-age=0, no-cache Date: Tue, 06 Sep 2022 01:30:22 GMT
2022-09-06 01:30:22 UTC	IN	Data Raw: 31 34 0d 0a 7b 0a 20 20 20 20 22 45 72 72 43 6f 64 65 22 3a 20 30 0a 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 14{ "ErrCode": 0}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49731	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-06 01:30:28 UTC	1	OUT	GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: feirar.softbd.cn
2022-09-06 01:30:29 UTC	1	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.3.11 Cache-control: no-store, max-age=0, no-cache Date: Tue, 06 Sep 2022 01:30:29 GMT
2022-09-06 01:30:29 UTC	1	IN	Data Raw: 31 34 0d 0a 7b 0a 20 20 20 20 22 45 72 72 43 6f 64 65 22 3a 20 30 0a 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 14{ "ErrCode": 0}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49734	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-06 01:30:33 UTC	1	OUT	GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: feirar.softbd.cn
2022-09-06 01:30:33 UTC	1	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.3.11 Cache-control: no-store, max-age=0, no-cache Date: Tue, 06 Sep 2022 01:30:33 GMT
2022-09-06 01:30:33 UTC	2	IN	Data Raw: 31 34 0d 0a 7b 0a 20 20 20 20 22 45 72 72 43 6f 64 65 22 3a 20 30 0a 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 14{ "ErrCode": 0}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49742	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-06 01:30:33 UTC	2	OUT	GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: feirar.softbd.cn
2022-09-06 01:30:33 UTC	2	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.3.11 Cache-control: no-store, max-age=0, no-cache Date: Tue, 06 Sep 2022 01:30:33 GMT
2022-09-06 01:30:33 UTC	2	IN	Data Raw: 31 34 0d 0a 7b 0a 20 20 20 20 22 45 72 72 43 6f 64 65 22 3a 20 30 0a 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 14{ "ErrCode": 0}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49747	123.57.37.83	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-06 01:30:34 UTC	2	OUT	GET /api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty=&os=unknownos&type=GetToolConfig HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: feirar.softbd.cn
2022-09-06 01:30:34 UTC	2	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/json; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.3.11 Cache-control: no-store, max-age=0, no-cache Date: Tue, 06 Sep 2022 01:30:34 GMT
2022-09-06 01:30:34 UTC	3	IN	Data Raw: 31 34 0d 0a 7b 0a 20 20 20 20 22 45 72 72 43 6f 64 65 22 3a 20 30 0a 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 14{ "ErrCode": 0}0

Target ID:	1
Start time:	03:30:19
Start date:	06/09/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Reflective.dll"
Imagebase:	0xc50000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.267935524.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	03:30:20
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	03:30:20
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	03:30:20
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Reflective.dll",#1
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	03:30:23
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_check
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	03:30:27
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Reflective.dll,CreateDllLogic_execute
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	03:30:30
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	03:30:30
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_check
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	03:30:31
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_execute
Imagebase:	0x7ff651c80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	03:30:31
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Reflective.dll",CreateDllLogic_record
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	12
Start time:	03:30:32
Start date:	06/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Reflective.dll",DestroyDllLogic
Imagebase:	0x12b0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: rundll32.exe, 00000006.00000003.259410745.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.260312246.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.268411622.0000000000FA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.270135162.0000000000FA1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.277324150.0000000004E83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Reflective.dll	String found in binary or memory: http://qh.ie.zdbc.baicuoa.com/
Source: Reflective.dll	String found in binary or memory: http://qh.ie.zdbc.baicuoa.com/error1
Source: rundll32.exe, 00000008.00000003.265778683.0000000000F94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.270106278.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/
Source: rundll32.exe, 00000008.00000003.265778683.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/k-
Source: rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265736430.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265675640.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/fb
Source: rundll32.exe, 00000008.00000003.265736430.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/fb(
Source: rundll32.exe, 00000006.00000003.259570302.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257552461.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.260228346.00000000034FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/fb0
Source: rundll32.exe, 00000006.00000003.257578076.0000000003517000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265736430.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265675640.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/fr
Source: rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/fr0
Source: rundll32.exe, 00000008.00000003.265736430.0000000000F80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/frl
Source: rundll32.exe, 00000006.00000003.257552461.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265688715.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/mv
Source: rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/mvk
Source: Reflective.dll	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Reflective.dll	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Reflective.dll	String found in binary or memory: http://zn1029.tdg68.com?248264
Source: Reflective.dll	String found in binary or memory: http://zn1029.tdg68.com?248264Hello
Source: Reflective.dll	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Reflective.dll	String found in binary or memory: https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=
Source: Reflective.dll	String found in binary or memory: https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=&type=SetUser
Source: Reflective.dll	String found in binary or memory: https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=F767A1ACFCB14
Source: Reflective.dll	String found in binary or memory: https://feirar.cn-beijing.log.aliyuncs.com/logstores/feirar/track?APIVersion=0.6.0&uid=uidappidappid
Source: rundll32.exe, 00000006.00000002.260130089.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.259212832.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257552461.00000000034FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.257658659.0000000003497000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.265977125.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.268366971.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.269769752.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feirar.softbd.cn/
Source: Reflective.dll	String found in binary or memory: https://feirar.softbd.cn/api/gettool?uid=
Source: Reflective.dll	String found in binary or memory: https://feirar.softbd.cn/api/gettool?uid=BLUrlBLHashBLHash
Source: rundll32.exe, 00000008.00000003.268396085.0000000000F94000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.270106278.0000000000F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm
Source: rundll32.exe, 00000008.00000002.269769752.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.266408334.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://feirar.softbd.cn/api/gettool?uid=fe6c1464aadf85f8315663af8f631471&unx=0&ver=&frm=&ins=0&inty
Source: Reflective.dll	String found in binary or memory: https://hao.baidu.cn/
Source: Reflective.dll	String found in binary or memory: https://hao.baidu.cn/NCxodHRwczovL2hhby5iYWlkdS5jbi97ZWE5NTdjZWJmZjVmNTllMTBlYTNiZDNiMDJkZWE3ZDR9ezV
Source: Reflective.dll	String found in binary or memory: https://hao.baidu.cn/Software
Source: Reflective.dll	String found in binary or memory: https://hao.baidu.cn/error1

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Reflective.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\GlobalMgr.db

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Reflective.dll